Download Document - Fortinet Document Library

Document related concepts

Ecological interface design wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Human–computer interaction wikipedia , lookup

Transcript
FortiAuthenticator v2.1
Administration Guide
FortiAuthenticator v2.1 Administration Guide
March 26, 2013
23-210-144822-20130326
Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
Customer Service & Support
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
[email protected]
Table of Contents
Introduction....................................................................................................... 6
Before you begin...................................................................................................... 6
How this guide is organized..................................................................................... 6
Registering your Fortinet product ............................................................................ 6
Setup and System ............................................................................................ 7
Initial setup............................................................................................................... 8
FortiAuthenticator VM setup .............................................................................. 8
Administrative access - VM and hardware ...................................................... 10
Adding a FortiAuthenticator unit to your network.................................................. 10
System maintenance .............................................................................................
Backing up the configuration ...........................................................................
Upgrading the firmware ...................................................................................
Licensing..........................................................................................................
11
11
12
12
SNMP..................................................................................................................... 12
Configuring SNMP ........................................................................................... 13
High Availability (HA) Operation............................................................................. 14
Administrative access to the HA cluster .......................................................... 15
Configuring email servers and services ................................................................. 16
Configuring SMS gateways ................................................................................... 17
CLI commands....................................................................................................... 19
Troubleshooting ..................................................................................................... 21
Authentication users and servers ................................................................. 22
What to configure ..................................................................................................
Password-based authentication ......................................................................
Token-based authentication ............................................................................
Choosing one-factor or two-factor authentication ..........................................
Authentication servers .....................................................................................
22
23
23
23
23
Adding Users .........................................................................................................
Administrators..................................................................................................
Adding a user account .....................................................................................
User self-registration........................................................................................
Importing users ................................................................................................
Setting a password policy................................................................................
Setting a lock-out policy ..................................................................................
User groups .....................................................................................................
RADIUS attributes............................................................................................
Certificate bindings ..........................................................................................
24
24
25
27
28
28
29
29
29
30
Page 3
Adding FortiToken devices and FortiToken Mobile apps ......................................
FortiAuthenticator and FortiTokens .................................................................
Monitoring FortiTokens ....................................................................................
FortiToken device maintenance.......................................................................
Configuration for FortiTokenMobile device provision ......................................
30
30
31
31
31
Adding FortiGate units as authentication clients ................................................... 31
Importing authentication clients....................................................................... 33
Configuring built-in LDAP ......................................................................................
LDAP directory tree overview ..........................................................................
Creating the LDAP directory tree .....................................................................
Configuring a FortiGate unit for FortiAuthenticator LDAP ...............................
33
34
35
37
Configuring Remote LDAP..................................................................................... 38
802.1X Authentication............................................................................................
The FortiAuthenticator unit and EAP ...............................................................
FortiAuthenticator unit configuration ...............................................................
Configuring certificates for EAP.......................................................................
Configuring switches to use 802.1X authentication ........................................
Configuring clients to use 802.1X authentication ............................................
40
40
41
41
41
42
MAC-based authentication .................................................................................... 45
Monitoring user authentication .............................................................................. 45
Fortinet Single Sign On (FSSO) ..................................................................... 46
Configuring FortiAuthenticator for FSSO............................................................... 46
Basic configuration .......................................................................................... 46
Configuration of the FortiGate units on FortiAuthenticator.............................. 48
Configuring FortiAuthenticator Logon Detection Methods....................................
Active Directory polling ....................................................................................
SSO Login portal..............................................................................................
FortiClient SSO Mobility Agent ........................................................................
RADIUS to FSSO .............................................................................................
49
49
50
51
52
Monitoring Single Sign-On activity ........................................................................
Monitoring domains .........................................................................................
Monitoring SSO users......................................................................................
Monitoring domain controllers .........................................................................
Monitoring FortiGate units ...............................................................................
Viewing SSO authentication events on the FortiGate unit...............................
52
52
52
53
53
53
Supporting RADIUS Single Sign On (RSSO) ................................................ 54
Configuring the RADIUS Accounting Proxy...........................................................
Defining the RADIUS accounting source .........................................................
Defining rule sets .............................................................................................
Defining destinations for RADIUS accounting records....................................
Fortinet Technologies Inc.
Page 4
54
54
54
57
FortiAuthenticator v2.1 Administration Guide
Certificate Management ................................................................................ 58
Certificate Authorities (CA)..................................................................................... 59
Certificates ....................................................................................................... 59
Certificate Revocation List (CRL) ..................................................................... 61
User and server certificates ................................................................................... 62
Signing user certificates................................................................................... 64
Online certificates (SCEP) ...................................................................................... 64
Logging............................................................................................................ 66
Configuring logging................................................................................................
Backing up logs to a remote FTP server .........................................................
Logging to a remote syslog server ..................................................................
Auto-deletion of old logs..................................................................................
66
66
66
67
Accessing logs....................................................................................................... 67
Troubleshooting ............................................................................................. 69
Index ................................................................................................................ 70
Fortinet Technologies Inc.
Page 5
FortiAuthenticator v2.1 Administration Guide
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
This chapter contains the following topics:
• Before you begin
• How this guide is organized
Before you begin
Before you begin using this guide, please ensure that:
• You have administrative access to the web-based manager and/or CLI.
For details of how to accomplish this, see the QuickStart Guide provided with your product.
Thes can also be found at http://docs.fortinet.com/fauth.html.
• The FortiAuthenticator unit is integrated into your network.
• The operation mode has been configured.
• The system time, DNS settings, administrator password, and network interfaces have been
configured.
• Any third-party software or servers have been configured using their documentation.
While using the instructions in this guide, note that administrators are assumed to be
super_admin administrators unless otherwise specified. Some restrictions will apply to other
administrators.
How this guide is organized
This FortiAuthenticator Administration Guide contains the following sections:
Setup and System describes initial setup for standalone and HA cluster FortiAuthenticator
configurations.
Authentication users and servers describes how to configure built-in and remote authentication
servers and manage user groups.
Fortinet Single Sign On (FSSO) describes how to use the FortiAuthenticator unit in a single sign
on (SSO) environment.
Certificate Management describes how to manage X.509 certificates and how to set up the
FortiAuthenticator unit to act as an Certificate Authority.
Logging describes how to view the logs on your FortiAuthenticator unit.
Troubleshooting provides suggestions to resolve common problems.
Registering your Fortinet product
Before you begin configuring and customizing features, take a moment to register your Fortinet
product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet
customer services, such as firmware updates, technical support, and FortiGuard Antivirus and
other FortiGuard services, require product registration.
Fortinet Technologies Inc.
Page 6
FortiAuthenticator v2.1 Administration Guide
Setup and System
FortiAuthenticator is an Authentication server that includes a RADIUS server and an LDAP
server. Authentication servers are an important part of an enterprise network, providing access
to protected network assets and tracking users’ activities to comply with security policies.
FortiAuthenticator provides user identity services to the Fortinet product range and other third
party devices. FortiAuthenticator delivers multiple features including:
Authentication: FortiAuthenticator presents RADIUS and LDAP authentication methods.
Two Factor Authentication: FortiAuthenticator can act as a two-factor authentication server
with support for one-time passwords using FortiToken 200, FortiToken Mobile, SMS, or e-mail.
FortiAuthenticator two-factor authentication is compatible with any system which supports
RADIUS.
IEE802.1X Support: FortiAuthenticator supports 802.1X for use in FortiGate Wireless and
Wired networks.
User Identification: FortiAuthenticator can identify users through multiple data sources
including Active Directory, Desktop Client, Captive Portal Logon, and RADIUS Accounting and
can communicate this information to FortiGate or FortiMail units for use in Identity Policies.
Certificate Management: FortiAuthenticator can create and sign digital certificates for use, for
example, in FortiGate VPNs.
FortiAuthenticator provides an easy-to-configure remote authentication option for FortiGate
users. Additionally, it can replace the FSSO Agent on a Windows AD network.
FortiAuthenticator is a server and should be isolated on a network interface separate from other
hosts to facilitate server-related firewall protection. Be sure to take steps to prevent
unauthorized access to the FortiAuthenticator.
Fortinet Technologies Inc.
Page 7
FortiAuthenticator v2.1 Administration Guide
Figure 1: FortiAuthenticator on a multiple FortiGate unit network
Cli
ork
etw
N
ent
ate
rtiG
Fo
t
uni
Fo
rtiA
uth
ent
ica
tor
Fo
rk
two
e
nt N
e
Cli
nit
te u
a
rtiG
The following topics are included in this section:
• Initial setup
• Adding a FortiAuthenticator unit to your network
• System maintenance
• SNMP
• High Availability (HA) Operation
• Configuring email servers and services
• CLI commands
• Troubleshooting
Initial setup
For information about installing the FortiAuthenticator unit and accessing the CLI or web-based
manager, refer to the Quick Start Guide provided with your unit. The following section provides
information about setting up the Virtual Machine (VM) version of the product.
FortiAuthenticator VM setup
Before using FortiAuthenticator-VM, you need to install the VMware application to host the
FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM assume
you are familiar with VMware products and terminology.
Fortinet Technologies Inc.
Page 8
FortiAuthenticator v2.1 Administration Guide
System requirements
The minimum system requirements for a computer running the FortiAuthenticator VM image
include:
• Installed latest version of VMware Player, Fusion, or Workstation
• 512 MB of RAM minimum
• one virtual NICs minimum, to a maximum of four virtual NICs
• minimum of 3 GB free space
FortiAuthenticator-VM has kernel support for more than 4GB of RAM in VM images. However,
this support also depends on the VM player version. For more information, see:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&ex
ternalId=1014006
The default "Hardware Version" is 4 to support the widest base of VM players. However you can
modify the VM Hardware Version by editing the following line in the FortiAuthenticator-VM.vmx
file:
virtualHW.version = "4"
FortiAuthenticator-VM image installation and initial setup
The following procedure describes setup on VMware Fusion.
To set up the FortiAuthenticator VM image
1. Download the VM image ZIP file to the local computer where VMware is installed.
2. Extract the files from the zip file into a folder.
3. In VMware Fusion, go to File > Open.
4. Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx file and
select Open.
VMware will install and start FortiAuthenticator-VM. This process can take a minute or two to
complete.
5. At the FortiAuthenticator login prompt, enter admin and press Enter.
6. At the password prompt, press Enter.
By default, there is no password.
7. At the CLI prompt enter the following commands:
set port1-ip 192.168.1.99/24
set default-gw 192.168.1.2
Substitute your own desired FortiAuthenticator IP address and default gateway.
You can now connect to the web-based manager at the address you set for port1-ip.
Suspending the FortiAuthenticator-VM can have unintended consequences. Fortinet
recommends that you do not use the suspend feature of VMWare. Instead, shut down the
virtual FortiAuthenticator system using the GUI or CLI, and then shut down the virtual machine
using the VMWare console.
Fortinet Technologies Inc.
Page 9
FortiAuthenticator v2.1 Administration Guide
Administrative access - VM and hardware
Administrative access is enabled by default on port 1. Using the web-based manager, you can
enable administrative access on other ports if necessary.
To add administrative access to an interface
1. Go to System > Network > Interfaces. Select the desired interface to edit.
2. In Admin access, select the types of access to allow.
3. Select OK.
Web-based manager access
To use the web-based manager, point your browser to the port1 IP address, default
192.168.1.99. For example,
http://192.168.1.99
Enter admin as the User Name and leave the Password field blank.
For secure access, you can enter https instead of http in the URL.
Telnet
CLI access is available using telnet to the port1 interface IP address, default 192.168.1.99. Use
the telnet -K option so that telnet does not attempt to log on using your user ID. For example:
$ telnet -K 192.168.1.99
At the FortiAuthenticator login prompt, enter admin. When prompted for password, just press
Enter. By default there is no password. When you are finished, use the exit command to end
the telnet session.
SSH
SSH provides secure access to the CLI. Connect to the port1 interface IP address, default
192.168.1.99. Specify the user name admin or SSH will attempt to log on with your user name.
For example:
$ ssh [email protected]
At the password prompt, just press Enter. By default there is no password. When you are
finished, use the exit command to end the session.
Adding a FortiAuthenticator unit to your network
Before the initial setup of FortiAuthenticator, there are some requirements for your network.
• You must have security policies that allow traffic between the client network and the subnet
of the FortiAuthenticator
• You must ensure that the following ports are open in the security policies between the
FortiAuthenticator and authentication clients: port 8000 (FSSO), ports 389 and 636 (LDAP),
1812 (RADIUS) and 1813 (RADIUS Accounting) in addition to management protocols such
as HTTP, HTTPS, telnet, SSH, Ping, and other protocols you may choose to allow.
To initially setup FortiAuthenticator on your network
1. Log on to the web-based manager.
Use admin for the username. There is no password.
Fortinet Technologies Inc.
Page 10
FortiAuthenticator v2.1 Administration Guide
2. Go to System > Network > DNS. Enter your internal network primary and secondary name
server IP addresses. This is essential for successful FSSO operation.
3. Go to System > Network > Static Routing and create a default route (IP/Mask 0.0.0.0/0) to
your network gateway on the interface that connects to the gateway.
4. Go to System > Dashboard > Status.
5. In System Information, and select Change in the System Time field.
6. Select your time zone from the list.
7. Either enable NTP or set the date/time manually.
Enter a new time and date by either typing it manually, selecting Today or Now, or select the
calendar or clock icons for a more visual method of setting the date and time.
If you will be using FortiToken devices, Fortinet strongly recommends using NTP—FortiToken
Time based authentication tokens are dependent on an accurate system clock.
8. Select OK.
9. If the FortiAuthenticator is connected to additional subnets, configure additional
FortiAuthenticator interfaces as required.
• Go to System > Network > Interfaces to set the IP address and subnet mask for each
interface.
• Go to System > Network > Default Gateway to set the gateway for each interface as
required.
System maintenance
System maintenance tasks include:
• Upgrading the firmware
• Backing up the configuration
• Licensing
For information about High Availability, see “High Availability (HA) Operation” on page 14.
Backing up the configuration
You can back up the configuration of the FortiAuthenticator to your local computer. The backup
file is encrypted to prevent tampering. This configuration file backup includes both the CLI and
web-based manager configuration of the FortiAuthenticator. The backed-up information
includes users, user groups, FortiToken device list, authentication client list, LDAP directory
tree, FSSO settings, remote LDAP, and certificates.
To back up your configuration
1. Go to System > Maintenance > Config.
2. Under Backup, select Download backup file and save the file on your computer.
To restore your configuration
1. Go to System > Maintenance > Config.
2. Under Restore, select Choose File, locate the backup file on your computer, and then select
Restore.
Fortinet Technologies Inc.
Page 11
FortiAuthenticator v2.1 Administration Guide
You will be prompted to confirm the restore action. The FortiAuthenticator unit will reboot.
When you restore the configuration from a backup file, any information changed since the
backup will be lost. Any active sessions will be ended and must be restarted. You will have to
log back in when the system reboots.
Upgrading the firmware
Periodically, Fortinet issues firmware upgrades that fix known issues, add new features and
functionality, and generally improve your FortiAuthenticator experience.
Before proceeding to upgrade your system, Fortinet recommends you back up your
configuration. Please follow the procedure detailed in “Backing up the configuration”,
preceding.
To upgrade the firmware, you must first register your FortiAuthenticator with Fortinet. See
“Registering your Fortinet product” on page 6.
To upgrade FortiAuthenticator firmware
1. Download the latest firmware to your local computer from the Fortinet Technical Support
web site, https://support.fortinet.com.
2. On FortiAuthenticator, go to System > Maintenance > Firmware.
3. Select Choose File, and locate the new firmware image on your local computer.
4. Select OK.
When you select OK, the new firmware image will upload from your local computer to the
FortiAuthenticator, which will then reboot. You will experience a short period of time during this
reboot when the FortiAuthenticator is offline and unavailable for authentication.
Licensing
FortiAuthenticator VM works in evaluation mode until it is licensed. The license is valid only if
one of the FortiAuthenticator interfaces is set to the IP address specified in the license.
To license FortiAuthenticator VM
1. Go to System > Maintenance > License.
2. Select Browse and locate the license file you received from Fortinet.
3. Select OK.
SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your
network. You can configure the hardware, such as the FortiAuthenticator SNMP agent, to report
system information and send traps (alarms or event messages) to SNMP managers. An SNMP
manager, or host, is typically a computer running an application that can read the incoming trap
and event messages from the agent and send out SNMP queries to the SNMP agents.
By using an SNMP manager, you can access SNMP traps and data from any FortiAuthenticator
interface configured for SNMP management access. Part of configuring an SNMP manager is to
list it as a host in a community on the FortiAuthenticator unit it will be monitoring. Otherwise the
SNMP monitor will not receive any traps from that unit, or be able to query that unit.
Fortinet Technologies Inc.
Page 12
FortiAuthenticator v2.1 Administration Guide
The FortiAuthenticator SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant
SNMP managers have read-only access to system information through queries and can receive
trap messages from the FortiAuthenticator unit.
To monitor FortiAuthenticator system information and receive FortiAuthenticator traps, your
SNMP manager needs the Fortinet and FortiAuthenticator Management Information Base (MIB)
files. A MIB is a text file that lists the SNMP data objects that apply to the device to be
monitored. These MIBs provide information that the SNMP manager needs to interpret the
SNMP trap, event, and query messages sent by the FortiAuthenticator unit SNMP agent.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-like
MIB) and most of RFC 1213 (MIB II). RFC support for SNMP v3 includes Architecture for SNMP
Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).
SNMP traps alert you to important events that occur such as overuse of memory or a high rate
of authentication failures.
SNMP fields contain information about the FortiAuthenticator unit, such as CPU usage
percentage or the number of sessions. This information is useful for monitoring the condition of
the unit on an ongoing basis and to provide more information when a trap occurs.
Configuring SNMP
Before a remote SNMP manager can connect to the Fortinet agent, you must configure one or
more interfaces to accept SNMP connections by going to System > Network > Interfaces.
Select the interface, and in Administrative Access, select SNMP.
You can also set the thresholds that trigger various SNMP traps. Note that a setting of zero
disables the trap.
To configure SNMP settings
1. Go to System > Maintenance > SNMP and enter:
Description
Enter descriptive information about the FortiAuthenticator unit.
Location
Enter the physical location of the FortiAuthenticator unit.
Contact
Enter the contact information for the person responsible for this
FortiAuthenticator unit.
CPU utilization trap High load on CPU. Default 90%.
threshold (%)
Memory utilization
trap threshold (%)
Too much memory used. Default 90%.
Auth users trap
threshold (%)
The user table is nearly full. The threshold is a percentage of the
maximum permitted number of users.
Auth groups trap
threshold (%)
The user group table is nearly full. The threshold is a percentage of
the maximum permitted number of user groups.
Radius NAS trap
threshold (%)
The Radius NAS table is nearly full. The threshold is a percentage of
the maximum permitted number of RADIUS NASs.
Auth event
High authentication load. The threshold is the number of
threshold (#/5 mins) authentication events over a 5-minute period.
Auth failure
High rate of authentication failure. The threshold is the number of
threshold (#/5 mins) authentication failures over a 5-minute period.
Fortinet Technologies Inc.
Page 13
FortiAuthenticator v2.1 Administration Guide
2. Select Apply.
To configure SNMP users and communities
1. Go to System > Maintenance > SNMP.
2. Select Create New under SNMP v1/v2c or SNMP v3 as appropriate.
3. Enter:
Username
The name of the SNMP user.
Security Level
(SNMP v3 only)
Select the security level:
• None - no authentication or encryption
• Authentication only - select Authentication method and enter
Authentication key
• Encryption and authentication - select Encryption method,
enter Encryption key, select Authentication method, and enter
Authentication key
Events
Select the events for which traps are enabled.
4. Select OK.
5. In SNMP Notification Hosts, select Add another SNMP Host and enter the IP address.
User Name
The name of the SNMP user.
Security Level
(SNMP v3 only)
Select the user’s security level:
• None - no authentication or encryption
• Authentication only - select Authentication method and enter
Authentication key
• Encryption and authentication - select Encryption method,
enter Encryption key, select Authentication method, and enter
Authentication key
Notification Host
The IP address or addresses of the SNMP notification host.
Optionally, you can add multiple SNMP hosts.
6. Select OK.
High Availability (HA) Operation
Two FortiAuthenticator units can operate as a cluster to provide even higher reliability. One unit
is active and the other is on standby. If the active unit fails, the standby unit becomes active.
The cluster is configured as a single authentication server on your FortiGate units.
Authentication requests made during a failover from one unit to another are lost, but
subsequent requests complete normally. The failover process takes about 30 seconds.
Fortinet Technologies Inc.
Page 14
FortiAuthenticator v2.1 Administration Guide
To configure FortiAuthenticator HA
1. On each unit, go to System > Maintenance > High Availability and enter:
Enable HA
Enable
Interface
Select a network interface to use for communication between the
two cluster members. This interface must not already have an IP
address assigned and it cannot be used for authentication services.
Both units must use the same interface for HA communication.
Cluster member
IP address
Enter the IP address this unit uses for HA-related communication
with the other FortiAuthenticator unit. The two units must have
different addresses. Usually, you should assign addresses on the
same private subnet.
Admin access
Select the types of administrative access to allow.
Priority
Set to Low on one unit and High on the other. Normally, the unit with
High priority is the master unit.
Password
Enter a string to be used as a shared key for IPsec encryption. This
must be the same on both units.
2. When one unit has become the master, connect to the web-based manager again and
complete your configuration. You are configuring the Master unit. The configuration will
automatically be copied to the slave unit.
Administrative access to the HA cluster
Administrative access is available through any of the network interfaces using their assigned IP
addresses or through the HA interface using the Cluster member IP address, assigned on the
System > Maintenance > High Availability page. In all cases, administrative access is available
only if it is enabled on the interface.
Administrative access through any of the network interface IP addresses connects only to the
master unit. The only administrative access to the slave unit is through the HA interface using
the slave unit’s Cluster member IP address.
Configuration changes made on the master unit are automatically pushed to the slave unit. The
slave unit does not permit configuration changes, but you might want to access the unit to
change HA settings or for firmware upgrade, shutdown, reboot, or troubleshooting.
FortiAuthenticator VMs used in an HA cluster each require a license. Each license is tied to a
specific IP address. In an HA cluster, all interface IP addresses are the same on the two units,
except for the HA interface. Request each license based on either the unique IP address of the
unit’s HA interface or the IP address of a non-HA interface which will be the same on both units.
If you disable and then re-enable HA operation, the interface that was assigned to HA
communication will not be available for HA use. You must first go to System > Network >
Interfaces and delete the IP address from that interface.
Fortinet Technologies Inc.
Page 15
FortiAuthenticator v2.1 Administration Guide
Configuring email servers and services
The FortiAuthenticator unit sends email for several purposes, such as password reset requests,
new user approvals, user self-registration, and two-factor authentication.
By default, the FortiAuthenticator unit uses its built-in SMTP server. This is provided for
convenience, but is not necessarily optimal for production environments. Fortinet recommends
that you configure the unit to use a reliable external mail relay.
There are two distinct email services for
• Administrators - password reset, new user approval, two-factor authentication, etc.
• Users - password reset, self-registration, two-factor authentication, etc.
To add an external SMTP server
1. Go to System > Messages > SMTP Servers and select Create New.
2. Enter the following:
Name
Enter a name to identify this mail server on the FortiAuthenticator
unit.
Server Name/IP
Enter the IP address or FQDN of the mail server.
Port
The default port 25. Change it if your SMTP server uses a different
port.
Sender e-mail
address
Enter the email address to put in the From field on email messages
from the FortiAuthenticator unit.
Secure connection
For a secure connection to the mail server, select STARTTLS and
select the CA certificate that validates the server’s certificate. For
information about importing the CA certificate, see “To import a CA
certificate” on page 60.
Enable
authentication
Select if the email server requires you to authenticate when sending
email. Enter the Account username and Password.
3. Optionally, select Test Connection to send a test email message. Specify a recipient and
select Send. Confirm that the recipient received the message.
The recipient’s email system might treat the test email message as spam.
4. Select OK.
To set the default email server
1. Go to System > Messages > SMTP Servers.
2. Select the check box of the server that you want to make the default.
3. Select Set as Default.
To configure email services
1. Go to System > Messages > E-mail Services and select Administrators.
2. Select the SMTP Server to use for these email messages.
Fortinet Technologies Inc.
Page 16
FortiAuthenticator v2.1 Administration Guide
3. Optionally, you can change the FortiAuthenticator Public Address included in the email to
users. Change Address discovery method from Automatic discovery to
• Specify an address - provide the IP address or FQDN
or
• Use the IP address from a network interface - select the interface
4. Select OK.
If any information is missing or invalid, you are prompted to make corrections.
5. Select Users and repeat steps 2 through 4.
Configuring SMS gateways
If you will send SMS messages to users, you must configure the SMS gateways that you will
use. Ask your SMS provider for information about using its gateway. The FortiAuthenticator
SMS gateway configuration differs according to the protocol your SMS provider uses.
You can also configure the message that you will send to users. You can use the following tags
for user-specific information:
Table 1: Tags used in SMS messages
Tag
Information
{{:country_code}}
Telephone country code, e.g.: 01 for North America.
{{:mobile_number}}
User’s cell phone number
{{:message}}
“Your authentication token code is ” and the code.
To add an SMS gateway - SMTP
1. Go to System > Messages > SMS Gateways and select Create New.
2. Enter a Name for this SMS gateway.
3. In Protocol, select SMTP.
4. Select the SMTP server you use to contact the SMS gateway.
The SMTP server must already be configured. See “Configuring email servers and services”
on page 16.
5. In Mail-to-SMS gateway, change “domain.com” to the SMS provider’s domain name.
The default entry “{{:mobile_number}}@domain.com” assumes that the address is the user’s
cell number followed by “@” and the domain name. In the E-mail Preview field, check the To
field to ensure that the format of the address matches the information from your provider.
6. Optionally, modify the Subject and Body fields.
The default entries provide the authentication code message as both subject and body of
the SMS message.
7. Optionally, select Test Settings to send a test SMS message to the user.
8. Select OK.
To add an SMS gateway - HTTP or HTTPS
1. Go to System > Messages > SMS Gateways and select Create New.
2. Enter a Name for this SMS gateway.
3. In Protocol, select HTTP or HTTPS, as appropriate.
Fortinet Technologies Inc.
Page 17
FortiAuthenticator v2.1 Administration Guide
4. In API URL, enter the gateway URL, omitting the protocol prefix “http://” or “https://”. Also
omit the parameter string that begins with “?”.
5. If Protocol is HTTPS, select the CA Certificate that validates this SMS provider.
6. In the Field boxes, enter the parameter names that the SMS provider’s URL requires, such as
“user” and “password”. In the Value boxes, enter the corresponding values or tags.
If you need more parameter entries, select Add another SMS Gateway HTTP Parameter.
You can view the resulting URL in the URL Preview.
7. Optionally, select Test Settings to send a test SMS message to the user.
8. Select OK.
Fortinet Technologies Inc.
Page 18
FortiAuthenticator v2.1 Administration Guide
CLI commands
The FortiAuthenticator has CLI commands that are accessed using the console, SSH, or Telnet.
Their purpose is to initially configure the unit, perform a factory reset, or reset the values if the
web-based manager is not accessible for some reason.
Configuration commands
set port1-ip <addr_ipv4mask>
Enter the IPv4 address and netmask for the port1
interface. Netmask is expected in the /xx format, for
example 192.168.0.1/24.
Once this port is configured, you can use the
web-based manager to configure the remaining
ports.
set default-gw <addr_ipv4>
Enter the IPv4 address of the default gateway for this
interface. This is the default route for this interface.
set date <YYYY-MM-DD>
Enter the current date. Valid format is four digit year,
2 digit month, and 2 digit day. For example set date
2011-08-12 sets the date to August 12th, 2011.
set time <HH:MM:SS>
Enter the current time. Valid format is two digits each
for hours, minutes, and seconds. 24-hour clock is
used. For example 15:10:00 is 3:10pm.
set tz <timezone_index>
Enter the current time zone using the time zone
index. To see a list of index numbers and their
corresponding time zones, enter set tz ? .
set ha-mode {enable | disable} Enable or disable (default) High Availability mode.
set ha-port <interface>
Select a network interface to use for communication
between the two cluster members. This interface
must not already have an IP address assigned and it
cannot be used for authentication services. Both
units must use the same interface for HA
communication.
set ha-priority {high | low}
Set to Low on one unit and High on the other.
Normally, the unit with High priority is the master unit.
set ha-mgmt-ip <ip4_addr>
Enter the IP address with netmask that this unit uses
for HA-related communication with the other
FortiAuthenticator unit. Format: 1.2.3.4/24. The two
units must have different addresses. Usually, you
should assign addresses on the same private subnet.
set ha-mgmt-access
Select the types of administrative access to allow.
{ssh | https | http | telnet}
set ha-dbg-level <level>
Enter the detail level for HA service debug logs.
Range: -4 (least verbose) to 4 (most verbose).
unset <setting>
Restore default value. For each set command listed
above, there is an unset command, for example
unset port1-ip.
Fortinet Technologies Inc.
Page 19
FortiAuthenticator v2.1 Administration Guide
Action commands
help
Display list of valid CLI commands. You can also
enter ? for help.
show
Display current settings of port1 IP, netmask, default
gateway, and time zone.
hardware-info
Show hardware-related information.
ha-rebuild
Rebuild the configuration database from scratch
using the HA peer's configuration.
restore-admin
Restore factory reset's admin access settings to the
"port1" network interface.
exit
Terminate the CLI session.
reboot
Perform a hard restart the FortiAuthenticator unit. All
sessions will be terminated. The unit will go offline
and there will be a delay while it restarts.
factory-reset
Enter this command to reset the FortiAuthenticator
settings to factory default settings. This includes
clearing the user database.
This procedure deletes all changes that you have
made to the FortiAuthenticator configuration and
reverts the system to its original configuration,
including resetting interface addresses.
shutdown
Turn off the FortiAuthenticator.
status
Display basic system status information including
firmware version, build number, serial number of the
unit, and system time.
Tools
nslookup
Basic tool for DNS debugging
dig
Advanced DNS debugging
ping
Connectivity test
tcpdump
Local network traffic details
traceroute
Show the network route to some remote host
Fortinet Technologies Inc.
Page 20
FortiAuthenticator v2.1 Administration Guide
Troubleshooting
Troubleshooting includes useful tips and commands to help deal with issues that may occur.
For additional help, always contact customer support.
If you have issues when attempting authentication on FortiGate using the FortiAuthenticator,
there are some FortiAuthenticator settings and FortiGate settings to check.
In addition to these settings you can use log entries, monitors, and debugging information to
determine more information about your authentication problems. For help with
FortiAuthenticator logging, see “Logging” on page 66. For help with FortiGate troubleshooting,
see the FortiOS Handbook Troubleshooting and User Authentication guides chapters.
FortiAuthenticator settings
When checking FortiAuthenticator settings, you should ensure
• there is an authentication client entry for the FortiGate unit. See “Adding FortiGate units as
authentication clients” on page 31,
• the user trying to authenticate has a valid active account that is not disabled, and that the
username and password are spelled as expected,
• the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate unit,
• the FortiGate unit can communicate with the FortiAuthenticator unit, on the required ports:
RADIUS Authentication: UDP/1812
LDAP: TCP/389
• the user account exists
• as a local user on the FortiAuthenticator if using (RADIUS authentication),
• in the local LDAP directory (if using local LDAP authentication),
• in the remote LDAP directory (if using RADIUS authentication with remote LDAP
password validation).
• the user is a member in the expected user groups and these user groups are allowed to
communicate on the authentication client (FortiGate unit, for example),
• If authentication fails with the log error “bad password” try resetting the password. If this
fails, verify that the pre-shared secret is identical on both FortiAuthenticator and the
authentication client.
If FortiToken authentication is failing try the following:
• Verify the token is correctly synced.
• Remove the token from the user authentication configuration and verify authentication works
when the token is not present.
• Attempt to log into the FortiAuthenticator with the user credentials.
These steps enable the admin to identify whether the problem is with the FortiGate unit, the
credentials or the FortiToken.
FortiGate settings
When checking FortiGate authentication settings, you should ensure
• the user has membership in the required user groups, and identity-based security policies,
• there is a valid entry for the FortiAuthenticator as a remote RADIUS or LDAP server,
• the user is configured explicitly or as a wildcard user.
Fortinet Technologies Inc.
Page 21
FortiAuthenticator v2.1 Administration Guide
Authentication users and servers
FortiAuthenticator provides an easy-to-configure authentication server for your users. Multiple
FortiGate units can use a single FortiAuthenticator unit for remote authentication and FortiToken
device management.
Figure 2: FortiAuthenticator on a multiple FortiGate unit network
Cli
ork
etw
N
ent
ate
rtiG
o
F
t
uni
Fo
rtiA
uth
ent
ica
tor
rt
te
iGa
Fo
ork
etw
N
ent
Cli
t
uni
The following topics are included in this section:
• What to configure
• Adding Users
• Adding FortiToken devices and FortiToken Mobile apps
• Adding FortiGate units as authentication clients
• Configuring built-in LDAP
• Configuring Remote LDAP
• 802.1X Authentication
• MAC-based authentication
• Monitoring user authentication
What to configure
You need to decide which elements of FortiAuthenticator configuration you need.
• Determine the type of authentication you will use: password-based or token-based.
Optionally, you can enable both types, this is called two-factor authentication.
• Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote
LDAP. You will need to use at least one of these server types.
• Determine which FortiGate units or third-party devices will use the FortiAuthenticator unit.
The FortiAuthenticator unit must be configured on each FortiGate unit as an authentication
Fortinet Technologies Inc.
Page 22
FortiAuthenticator v2.1 Administration Guide
server, either RADIUS or LDAP. For RADIUS authentication, each FortiGate unit or third-party
device must be configured on the FortiAuthenticator unit as an authentication client.
Password-based authentication
Users can self-register for password-based authentication. This reduces the workload for the
system administrator. Users can choose their own passwords or have a randomly-generated
password provided in the browser or sent to them through email or SMS. Self-registration can
be instant, or it can require administrator approval. See “User self-registration” on page 27.
Token-based authentication
Token-based authentication requires the user to enter a numeric token at login. The token
changes regularly and is known only to the FortiAuthenticator unit and the user. The token can
be delivered to the user through:
• a FortiToken device
• an email account
• a cell phone number with SMS service
• a cell phone or other mobile device with the FortiToken Mobile app installed
FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be
configured in the user’s account.
Only the administrator can configure token-based authentication. See “Configuring
token-based authentication for a user” on page 25.
Choosing one-factor or two-factor authentication
Two-factor authentication increases security. The two factors are:
• something the user knows, usually a password
• something the user has, such as a FortiToken device
Requiring the two factors increases the difficulty for an unauthorized person to impersonate a
legitimate user.
To enable two-factor authentication, you simply configure both password-based and
token-based authentication in the user’s account.
Two-factor authentication does not work with FortiOS explicit proxies.
Authentication servers
The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of
external LDAP, which can include Windows AD servers.
The built-in servers are best used where there is no existing authentication infrastructure. You
build a user account database on the FortiAuthenticator unit. The database can include
additional user information such as street address and phone numbers that cannot be stored in
a FortiGate unit’s user authentication database. You can use either LDAP or RADIUS protocol.
The Remote LDAP option adds your FortiGate units to an existing LDAP structure. Optionally,
you can add two-factor authentication to Remote LDAP.
Fortinet Technologies Inc.
Page 23
FortiAuthenticator v2.1 Administration Guide
RADIUS
If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be
registered as a RADIUS authentication clients in Authentication > General > Auth. Clients. See
“Adding FortiGate units as authentication clients” on page 31. On each FortiGate unit that will
use RADIUS protocol, the FortiAuthenticator unit must be configured as a RADIUS server in
User & Device > Authentication > RADIUS Server.
Built-in LDAP
If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from
the user database to the appropriate nodes in the LDAP hierarchy. See “Creating the LDAP
directory tree” on page 35. On each FortiGate unit that will use LDAP protocol, the
FortiAuthenticator unit must be configured as an LDAP server in User & Device > Authentication
> LDAP Server.
Remote LDAP
Remote LDAP must be enabled in each user account. FortiGate units must be registered as a
RADIUS accounting SSO client in SSO & Dynamic Policies > Radius Accounting. See “Adding
FortiGate units as authentication clients” on page 31. FortiGate units must communicate with
the FortiAuthenticator unit using RADIUS protocol, with the FortiAuthenticator unit entered as a
RADIUS server in User & Device > Authentication > RADIUS Server.
Adding Users
FortiAuthenticator’s user database is similar to the local users database on FortiGate units, but
it has the added benefit of being able to associate additional information with each user, as you
would expect of RADIUS and LDAP servers. This information includes: whether the user is an
administrator, uses RADIUS authentication, uses two-factor authentication, and personal
information such as full name, address, password recovery options, and of course which
groups the user belongs to.
The RADIUS server on the FortiAuthenticator unit is configured using default settings. For a user
to authenticate using RADIUS, the option Allow RADIUS Authentication must be selected for
that user’s entry, and the FortiGate unit must be added to the authentication client list. See
“Adding FortiGate units as authentication clients” on page 31.
Administrators
Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as
administrators.
Once flagged as an administrator, a user account’s administrator privileges can be set to either
full access or customized to select their administrator rights for different parts of the
FortiAuthenticator unit. There are log events for administrator configuration activities.
Administrators can also be configured to authenticate to the local system using two-factor
authentication. An account marked as an administrator cannot be used for RADIUS
authentication.
Fortinet Technologies Inc.
Page 24
FortiAuthenticator v2.1 Administration Guide
Adding a user account
When creating a user account, there are three ways to handle the password:
• The administrator assigns a password immediately and communicates it to the user.
• The FortiAuthenticator unit creates a random password and automatically emails it to the
new user’s email address.
• No password is assigned, because only token-based authentication will be used.
To add a user account
1. Go to Authentication > Local User Management > Local Users and select Create New.
2. Enter the Username.
3. In Password creation, do one of the following:
• Select Specify a password. Enter the Password and then enter it again in
Password confirmation.
• Select Set and e-mail a random password. Enter the E-mail address for this user and then
enter it again in Confirm email address. The email address supplied in this step is used
once and not retained in the database.
• Select No password, FortiToken authentication only. After you select OK, you need to
associate a FortiToken device with this user.
4. Select OK. You can now
• Configure token-based authentication. See “Configuring token-based authentication for
a user” below. You must do this if you selected No password, FortiToken authentication
only.
• Select the user’s Role: Administrator or regular User (default).
• Enter additional User Information, such as full name, address, phone numbers.
• Enable Password Recovery Options. See “Configuring the user’s password recovery
options” on page 26.
• Add the user to User Groups. See “User groups” on page 29.
• Add RADIUS Attributes to the account. See “RADIUS attributes” on page 29.
• Bind the user account to a user certificate. See “Certificate bindings” on page 30.
5. Select OK.
Configuring token-based authentication for a user
Token-based authentication requires
• a FortiToken device or mobile device with the FortiToken Mobile app installed,
or
• a device with either email or SMS capability.
If a FortiToken device or FortiToken Mobile app will be used, register it in Authentication >
FortiTokens first.
To configure an account for token-based authentication
1. Go to Authentication > Local User Management > Local Users.
2. Select and edit the chosen user.
3. Select Token-based authentication.
Fortinet Technologies Inc.
Page 25
FortiAuthenticator v2.1 Administration Guide
4. Do one of the following:
• Select FortiToken and then select the FortiToken device serial number from the Hardware
or Software list, as appropriate. The device must be known to the FortiAuthenticator unit.
See “Adding FortiToken devices and FortiToken Mobile apps” on page 30.
• Select Email and enter the user’s email address.
• Select SMS and enter the user’s mobile information.
5. Select OK.
By default, token-based authentication must be completed within 60 seconds after the
authentication code is sent by email or SMS. To change this timeout, go to Authentication >
General > Options and modify Email/SMS Token Timeout.
Configuring the user’s password recovery options
To replace a lost or forgotten password, the FortiAuthenticator unit can send the user a
password recovery link by email or in the browser in response to a pre-arranged security
question. The user then sets a new password.
To configure password recovery by security question
1. Go to Authentication > Local User Management > Local Users.
2. Select and edit the chosen user.
3. Expand Password Recovery options.
4. Select Security Question, and select Edit.
5. Choose one of the questions in the list. If you choose to write your own question, a custom
question field will be displayed where you can enter your question.
6. Enter the answer for your question.
7. Select OK.
To configure password recovery by email
1. Go to Authentication > Local User Management > Local Users.
2. Select and edit the chosen user.
3. Expand User Information, and then enter the user’s E-mail address.
4. Expand Password Recovery Options.
5. Select Email.
6. Optionally, select Manage alternative emails and enter up to three additional email addresses
for this user.
In the event of password recovery, an email message is sent to all configured email
addresses — both the user information email address and the alternative email addresses.
7. Select OK.
How the user can configure password recovery by security question
1. Log in to the user account. The View Profile page opens.
2. Select Edit Profile at the top left of the page.
3. Expand Password Recovery Options.
4. Select Security Question, and select Edit.
5. Choose one of the questions in the list. If you choose to write your own question, a custom
question field will be displayed where you can enter your question.
Fortinet Technologies Inc.
Page 26
FortiAuthenticator v2.1 Administration Guide
6. Enter the answer for your question.
7. Select OK.
How the user can configure password recovery by email
1. Log in to the user account. The View Profile page opens.
2. Select Edit Profile at the top left of the page.
3. Expand Password Recovery Options.
4. Select Email.
5. Optionally, select Manage alternative emails and enter up to three additional email addresses
for this user.
6. Select OK.
How the user recovers from a lost password
1. Browse to the IP address of the FortiAuthenticator.
Security policies must be in place on the FortiGate unit to allow these sessions to be
established.
2. Select Forgot my password.
3. Select either Username or Email as your method of identification.
4. Enter either your username or email address as selected in the previous step, and then
select Next.
This information is used to select the user account. If your information does not match a user
account, password recovery cannot be completed.
5. Do one of the following:
• Select Send a secure link to your account email and select Next. Open the email and
select the password recovery link.
• Select Answer the provided security question and select Next. Enter the correct answer
to the question and select Next.
The recovery options available depend on the settings in the user account.
6. On the Reset Password page, enter and confirm a new password and then select Next.
The user can now authenticate using the new password.
User self-registration
Optionally, you can enable users to request registration through the FortiAuthenticator web
page. Optionally, the user’s request will be emailed to the administrator for approval. When the
account is ready to use, the user receives account information by email or SMS message.
To enable self-registration
1. Go to Authentication > General > User Registration and select Enable.
2. Optionally, select Require admin approval and enter the Admin’s e-mail address.
3. Optionally, specify how long after they are generated should the self-registered accounts be
deleted.
4. Choose either User-defined or Randomly generated password.
Fortinet Technologies Inc.
Page 27
FortiAuthenticator v2.1 Administration Guide
5. Choose how to send account information to the user:
• SMS message
• E-mail
• Display on browser page (not available if admin approval is required)
Optionally, select the Edit link beside any of these options to modify the message.
6. Select OK.
How the user requests registration
1. Browse to the IP address of the FortiAuthenticator unit.
Security policies must be in place on the FortiGate unit to allow these sessions to be
established.
2. Select Register.
The User Registration page opens.
3. Fill in the required fields. Optionally, fill in the Additional Information fields and select OK.
If admin approval is not required and Display on browser page is enabled in the User
Registration settings, the account details are immediately displayed to the user.
To approve a self-registration request
1. Select the link in the “Approval Required for ...” email message.
The New User Approval page opens in the web browser.
2. Review the information and select either Approve or Deny, as appropriate.
Approval is required only if Require admin approval is enabled in the User Registration
settings.
If the request is approved, the FortiAuthenticator unit sends the user an email or SMS
message stating that the account has been activated.
Importing users
You can import user account information from a comma-separated value (.csv) file. Go to
Authentication > Local User Management > Local Users and select Import to do this.
The CSV file has one record per line, with the record format: user name (30 characters max),
first name (30 characters max), last name (30 characters max), email address (75 characters
max), mobile number (25 characters max), password (optional, 128 characters max).
If the optional password is left out of the import file, the user will be e-mailed with temporary
login credentials and requested to configure a new password.
Setting a password policy
You can require a minimum length and complexity for user passwords. Also you can require
users to change their passwords periodically.
To set password complexity requirements
1. Go to Authentication > General > Options.
2. In User Password Complexity, set Minimum length for passwords. The default is 0, which
means that there is no minimum length, but the password cannot be empty.
3. Optionally, select Check for password complexity. You can then enable requirements for
minimum numbers of upper-case letters, lower-case letters, numeric characters, and special
(non-alphanumeric) characters.
4. Select OK.
Fortinet Technologies Inc.
Page 28
FortiAuthenticator v2.1 Administration Guide
To set a password change policy
1. Go to Authentication > General > Options.
2. Set the Maximum password age. The default is 90 days.
3. Optionally, select Enforce password history and set the Number of passwords to remember.
New passwords must not match any of the remembered passwords. For example, if three
passwords are remembered, users cannot reuse any of their three previous passwords.
Setting a lock-out policy
You might want to lock out a user’s account if there are repeated unsuccessful attempts to log
in. This might indicate an attempt at unauthorized access.
To set a lock-out policy
1. Go to Authentication > General > Options.
2. In Lock-Out and Timeout Policies, select Enable user account lock-out policy.
3. In Max. failed login attempts, enter the number of failed attempts that triggers the lock-out.
4. Enter the Lock-out period in seconds.
After the lock-out period expires, the Max. failed login attempts applies again.
User groups
You can assign user groups to a user in the user account configuration. Go to Authentication >
Local User Management > Local Users and edit the user account. Expand the Groups section.
Move the required groups to the Selected Groups list and select OK.
You can assign users to user groups in Authentication > Local User Management >
Local User Groups. Edit the desired group. Move the required users to the Selected users list
and select OK.
RADIUS attributes
Some services can receive information about an authenticated user through RADIUS
vendor-specific attributes. FortiAuthenticator user groups and user accounts can include
RADIUS attributes for Fortinet and other vendors.
Attributes in user accounts can specify user-related information. For example, the Default
attribute Framed-IP-Address specifies the VPN tunnel IP address to be sent to the user by the
Fortinet SSL-VPN.
Attributes in user groups can specify more general information, applicable to the whole group.
For example, specifying third-party vendor attributes to a switch could enable administrative
level login to all members of the Network_Admins group, or authorize the user to the correct
privilege level on the system.
To add RADIUS attributes to a user or a group
1. Go to Authentication > Local User Management > Local Users and select a user account to
edit, or
go to Authentication > Local User Management > User Groups and select a group to edit.
2. In RADIUS Attributes, select Add Attribute.
3. Select the appropriate Vendor and Attr id, then enter the Attribute value.
4. Select OK.
5. Repeat steps 2 through 4 for each additional attribute.
6. Select OK.
Fortinet Technologies Inc.
Page 29
FortiAuthenticator v2.1 Administration Guide
Certificate bindings
To use a local certificate as part of authenticating a user, you need to
• Create a user certificate for the user. See “User and server certificates” on page 62.
• Create a binding to that certificate in the user’s account, as described below.
To create a binding to a certificate in a user’s account
1. Go to Authentication > Local User Management > Local Users and select a user account to
edit
2. Expand Certificate Bindings and select Add Binding.
3. Select either Local CA or Trusted CA and then select the applicable CA certificate.
4. Enter the Common Name on the certificate.
For example, if the certificate says “CN=rgreen”, enter “rgreen”.
5. Select OK.
Adding FortiToken devices and FortiToken Mobile apps
A FortiToken device is a disconnected one-time password (OTP) generator. It is a small physical
device with a button that when pressed displays a six digit authentication code. FortiToken
Mobile is an application for mobile devices that performs the same one-time password function
as a FortiToken device.
Each FortiAuthenticator unit or virtual machine (VM) is supplied with two trial FortiToken Mobile
tokens. To obtain the free FortiToken Mobile tokens (if they have not been created dynamically
on install). Enter the code 0000-0000-0000-0000-0000.
This authentication code is time-based, so it is important that the FortiAuthenticator unit clock
is accurate. If possible, configure the system time to be synchronized with an NTP server.
The user enters the authentication code to perform token-based authentication. If the user’s
username and password are also required, this is called two-factor authentication. The code
displayed changes every 60 seconds.
The FortiToken device has a small hole in one end. This is intended for a lanyard to be inserted
so the device can be worn around the neck, or easily stored with other electronic devices.When
not in use, the LCD screen is shut down to extend the battery life.
Do not put the FortiToken device on a key ring as the metal ring and other metal objects can
damage it. The FortiToken is an electronic device like a cell phone and should be treated with
similar care.
FortiAuthenticator and FortiTokens
With FortiOS, FortiToken identifiers must be entered to the FortiGate unit, which then contacts
FortiGuard servers to verify the information before activating them.
FortiAuthenticator acts as a repository for all FortiToken devices used on your network — it is a
single point of registration and synchronization for easier installation and maintenance.
Fortinet Technologies Inc.
Page 30
FortiAuthenticator v2.1 Administration Guide
To add FortiTokens
1. Go to Authentication > Local User Management > FortiTokens.
2. Do one of the following:
• Select Create New and enter the FortiToken identifier. Devices have a serial number.
FortiToken Mobile apps use a certificate code. If there are multiple numbers to enter,
select the + icon to switch to a resizable multiple-line entry box.
• Select Import to load a file containing the list of serial numbers for the tokens. (FortiToken
devices have a barcode on them that can help you read serial numbers to create the
import file.)
3. Select OK.
To register FortiTokens, you must have a valid FortiGuard connection. Otherwise any
FortiTokens you enter will remain in Inactive status. After the FortiTokens are registered, the
connection to FortiGuard is no longer essential.
If a token authentication fails, check that the system time on the FortiAuthenticator unit is
correct and re-synchronize the FortiToken.
Monitoring FortiTokens
To monitor the total number of FortiToken devices registered on the FortiAuthenticator unit, as
well as the number of disabled FortiTokens, go to System > Dashboard > Status and view the
User Inventory widget.
You can also view the list of FortiTokens, their status, if their clocks are drifting, and which user
they are assigned to by going to Authentication > Local User Management > FortiTokens.
FortiToken device maintenance
Go to Authentication > Local User Management > FortiTokens and select Edit for the device. Do
any of the following:
• Disable a device when it is reported lost or stolen.
• Re-enable a device when it is recovered.
• Synchronize the FortiAuthenticator and the FortiToken device when the device clock has
drifted. Synchronizing ensures that the device provides the token code that the
FortiAuthenticator unit expects, as the codes are time-based. Fortinet recommends
synchronizing all new FortiTokens.
• Select History to view all commands applied to this FortiToken.
Configuration for FortiTokenMobile device provision
Go to Authentication > General > Options to modify settings for FortiTokenMobile provision.
Adding FortiGate units as authentication clients
Before the FortiAuthenticator unit can accept RADIUS and LDAP authentication requests from a
FortiGate unit, the FortiGate unit must be registered as a authentication client on the
FortiAuthenticator unit.
The FortiAuthenticator RADIUS server is already configured and running with default values.
Each user account on the FortiAuthenticator unit has an option to authenticate the user using
the RADIUS database.
Fortinet Technologies Inc.
Page 31
FortiAuthenticator v2.1 Administration Guide
Every time there is a change to the list of RADIUS authentication clients, two log messages are
generated — one for the client change, and one to state that the RADIUS server was restarted
to apply the change.
FortiAuthenticator unit allows both RADIUS and remote LDAP authentication for RADIUS
authentication client entries. If you want to use a remote LDAP server, you must configure it first
so that you can be select it in the RADIUS authentication client configuration. You can configure
the built-in LDAP server before or after creating client entries.
To configure a RADIUS accounting client
1. Go to Authentication > General > Auth Clients.
2. Select Create New and enter the following information:
Name
A name to identify the FortiGate unit.
Client name/IP
The FQDN or IP address of the unit.
Secret
The RADIUS passphrase that the FortiGate unit will use.
Description
Optional information about the FortiGate unit.
Authentication method
Select one of the following:
• Enforce two-factor authentication
• Apply two-factor authentication if available (authenticate
any user)
• Password-only authentication (exclude users without a
password)
• FortiToken-only authentication (exclude users without a
FortiToken)
Authenticate:
Limits who can authenticate.
All local users
Authenticate any of the configured Local Users.
Local users from
selected groups only
Authenticate only members of specific FortiAuthenticator
user groups. Add the required user groups to the Selected
local user groups list.
All remote users
Authenticate only users of the selected Remote LDAP
server.
Remote users from
selected groups only
Authenticate only users of specific groups on the selected
Remote LDAP server. If the server is not listed, create it. See
“Configuring Remote LDAP” on page 38.
Add the required user groups to the Selected remote user
groups list.
Fortinet Technologies Inc.
Page 32
FortiAuthenticator v2.1 Administration Guide
Allow MAC-based
authentication
Require Call-Check
attribute for
MAC-based auth
EAP types
The FortiAuthenticator unit identifies the device by its MAC
address. This is used for devices that don't allow the usual
username/password input to set up the WiFi, such as
network printers. Enter these units in Authentication >
Local User Management > MAC-based Auth. For more
information, see “MAC-based authentication” on page 45.
The FortiAuthenticator unit expects the username and
password attributes to be set to the source MAC address.
This option also requires a Service-Type attribute set to “Call
Check” and a Calling-Station-Id attribute set to the source
MAC address.
Select the 802.1X authentication types to accept.
Note: if you require mutual authentication, select only
EAP-TLS.
3. Select OK.
If authentication is failing, check that the authentication client is configured and that its IP
address is correctly specified. Common causes of problems are:
• RADIUS packets being sent from an unexpected interface
• NAT being performed between the authentication client and the FortiAuthenticator unit
Importing authentication clients
You can import authentication client information from a comma-separated value (.csv) file. Go to
Authentication > General > Auth. Clients and select Import to do this.
The CSV file has one record per line, with the record format: client name (32 characters max),
FQDN or IP address (128 characters max), secret (optional, 63 characters max).
Configuring built-in LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords, email
addresses, and printers. LDAP consists of a data-representation scheme, a set of defined
operations, and a request/response network.
In the LDAP protocol there are a number of operations a client can request such as search,
compare, and add or delete an entry. Binding is the operation where the LDAP server
authenticates the user. If the user is successfully authenticated, binding allows the user access
to the LDAP server based on that user’s permissions.
This section includes:
• LDAP directory tree overview
• Creating the LDAP directory tree
• Removing entries from the directory tree
Fortinet Technologies Inc.
Page 33
FortiAuthenticator v2.1 Administration Guide
LDAP directory tree overview
The LDAP tree defines the hierarchical organization of user account entries in the LDAP
database. The FortiGate unit requesting authentication must then be configured to address its
request to the right part of the hierarchy.
Often an LDAP server’s hierarchy reflects the hierarchy of the organization it serves. The root
represents the organization itself, usually defined as Domain Component (DC), a DNS domain,
such as example.com. (As the name contains a dot, it is written as two parts separated by a
comma: dc=example,dc=com.) Additional levels of hierarchy can be added as needed. These
include:
• c (country)
• ou (organizational unit, such as a division)
• o (organization, such as a department)
The user account entries relevant to user authentication will have element names such as UID
(user ID) or CN (common name, the user’s name). They can each be placed at their appropriate
place in the hierarchy.
Complex LDAP hierarchies are more common in large organizations where users in different
locations and departments have different access rights. For basic authenticated access to your
office network or the Internet, a much simpler LDAP hierarchy is adequate.
The following is a simple example of an LDAP hierarchy in which the all user account ((CN)
entries reside at the Organization Unit (OU) level, just below DC.
Figure 3: LDAP object directory
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part
of the hierarchy where the user account record can be found. This is called the Distinguished
Name (DN). In the example above, DN is ou=People,dc=example,dc=com.
The authentication request must also specify the particular user account entry. Although this is
often called the Common Name (CN), the identifier you use is not necessarily CN. On a
computer network, it is appropriate to use UID, the person’s user ID, as that is the information
that they will provide at logon.
Fortinet Technologies Inc.
Page 34
FortiAuthenticator v2.1 Administration Guide
Creating the LDAP directory tree
The following sections provide a brief explanation of each part of the LDAP attribute directory,
what is commonly used to represent, and how to configure it on FortiAuthenticator.
When an object name includes a space, as in “Test Users”, you have to enclose the text with
double-quotes. For example: cn="Test Users",cn=Builtin,dc=get,dc=local
Editing the root node
The root node is the top level of the LDAP directory. There can be only one. All groups, OUs,
and users branch off from the root node. Choose the distinguished name (DN) that makes sense
for your organization’s root node.
There are three common forms of DN entries.
The most common consists of one or more domain component (dc) elements making up the
DN. Each part of the domain has its own dc entry. This comes directly from the DNS entry for
the organization. For example.com, the dn entry is "dc=example,dc=com".
Another popular method is to use the company’s Internet presence as the DN. This method
uses the domain name as the DN. For example.com, the dn entry would be
"o=example.com".
An older method is to use the company name with a country entry. For Example Inc. operating
in the United States, the DN would be o="Example, Inc.",c=US. This makes less sense
with international companies.
When you configure FortiGate units to use the FortiAuthenticator unit as an LDAP server, you
will specify the distinguished name that you created here. This identifies the correct LDAP
structure to reference.
To rename the root node
1. Go to Authentication > Local User Management > LDAP Directory Tree.
2. Double-click "dc=example,dc=com" to edit the entry.
3. In Distinguished Name (DN), enter a new name.
Example: "dc=fortinet,dc=com".
4. Select OK.
If your domain name has multiple parts to it, such as shiny.widgets.example.com, each part of
the domain should be entered as part of the DN:
dc=shiny,dc=widgets,dc=example,dc=com, for example.
Adding nodes to the LDAP hierarchy
You can add a subordinate node at any level in the hierarchy as needed.
To add a node
1. Go to Authentication > Local User Management > LDAP Directory Tree.
Fortinet Technologies Inc.
Page 35
FortiAuthenticator v2.1 Administration Guide
2. Select the green “+” next to the DN entry where the node will be added.
3. In Class, select the identifier to use.
For example, to add the ou=People node from the earlier example, select
Organizational Unit (ou).
4. Select the [Please Select] drop-down and then select Create New. Enter the name of the
node, People for example, and select OK.
5. If needed, repeat steps 2 through 4 to add other nodes.
Adding user accounts to the LDAP tree
You must add user account entries at the appropriate place in the LDAP tree. These users must
already be defined in the FortiAuthenticator user database. See “Adding a user account” on
page 25.
To add a user account to the LDAP tree
1. Go to Authentication > Local User Management > LDAP Directory Tree.
2. Expand nodes as needed to find the required node, then select the node’s green “+” symbol.
In the earlier example, you would do this on the ou=People node.
3. In Class, select User (uid).
In User (Uid), the list of available users is displayed. You can choose to display them
alphabetically by user group or by user.
4. Select users in the Available Users list and move them to the Chosen Users list.
5. Select OK.
You can verify your users were added by expanding the node to see their UIDs listed below it.
Moving LDAP branches in the directory tree
At times you may want to rearrange the hierarchy of the LDAP structure. For example a
department may be moved from one country to another.
While it is easy to move a branch in the LDAP tree, all systems that use this information will
need to be updated to the new structure or they will not be able to authenticate users.
To move an LDAP branch
1. Go to Authentication > Local User Management > LDAP Directory Tree.
2. Select Expand All.
3. Select the branch to move by selecting it and holding down the mouse button.
4. Drag the branch to the location you want it, and release the mouse button. When it is a valid
location, an arrow will appear to the left of the current branch to indicate where the new
branch will be inserted — it will be inserted below the entry with the arrow.
Fortinet Technologies Inc.
Page 36
FortiAuthenticator v2.1 Administration Guide
Removing entries from the directory tree
Adding entries to the directory tree involves placing the attribute at the proper place. However,
when removing entries it is possible to remove multiple branches at once.
Take care not to remove more branches than you intend. Remember that all systems using this
information will need to be updated to the new structure or they will not be able to authenticate
users.
To remove an entry from the LDAP directory
1. Go to Authentication > Local User Management > LDAP Directory Tree.
2. Select Expand All, and select the entry to remove.
3. Select the red X for the entry.
You will be prompted to confirm your deletion. Part of the prompt displays the message of all
the entries that will be removed with this deletion. Ensure this is the level that you intend to
delete.
4. Select Yes, I’m sure.
If the deletion was successful there will be a green check next to the successful message
above the LDAP directory and the entry will be removed from the tree.
Configuring a FortiGate unit for FortiAuthenticator LDAP
When you have defined the FortiAuthenticator LDAP tree, you can configure FortiGate units to
access the FortiAuthenticator as an LDAP server and authenticate users.
To configure the FortiGate unit for LDAP authentication
1. On the FortiGate unit, go to User & Device > Authentication > LDAP Server and select
Create New.
2. Enter the following information and select OK:
Name
Enter a name to identify the FortiAuthenticator LDAP server on the
FortiGate unit.
Server Name / IP
Enter the FQDN or IP address of the FortiAuthenticator unit.
Server Port
Leave at default (389).
Common Name
Identifier
Enter uid, the user ID.
Distinguished Name Enter the LDAP node where the user account entries can be found.
For example, ou=People,dc=example,dc=com
Fortinet Technologies Inc.
Page 37
FortiAuthenticator v2.1 Administration Guide
Bind Type
The FortiGate unit can be configured to use one of three types of
binding:
• anonymous - bind using anonymous user search
• regular - bind using username/password and then search
• simple - bind using a simple password authentication without a
search
You can use simple authentication if the user records all fall under
one distinguished name (DN). If the users are under more than one
DN, use the anonymous or regular type, which can search the entire
LDAP database for the required username.
If your LDAP server requires authentication to perform searches, use
the regular type and provide values for User DN and Password.
Secure Connection If you select Secure Connection, you must select LDAPS or
STARTTLS protocol and the CA security certificate that verifies the
FortiAuthenticator unit’s identity. If you select LDAPS protocol, the
Server Port will change to 636.
3. Add the LDAP server to a user group. Specify that user group in identity-based security
policies where you require authentication.
Configuring Remote LDAP
If you already have an LDAP server or servers configured on your network, FortiAuthenticator
can connect to them for remote authentication much like FortiOS remote authentication.
Adding a remote LDAP server
If your organization has existing LDAP servers, you may choose to continue using them with
FortiAuthenticator by configuring them as Remote LDAP servers.
When entering the Remote LDAP server information, if any information is missing or in the
wrong format, error messages will highlight the problem for you.
To create a new remote LDAP server entry
1. Go to Authentication > Remote Auth. Servers > LDAP.
2. Select Create New.
3. Enter the following information.
Name
Enter the name for the remote LDAP server on FortiAuthenticator.
Server name/IP
Enter the IP address or FQDN for this remote server.
Base distinguished
name
Enter the base distinguished name for the server using the correct
X.500 or LDAP format. The maximum length of the DN is 512
characters.
You can also select the Browse button to view and select the DN on
the LDAP server.
Fortinet Technologies Inc.
Page 38
FortiAuthenticator v2.1 Administration Guide
Bind Type
The Bind Type determines how the authentication information is sent
to the server. Select the bind type required by the remote LDAP
server.
• Simple — bind using the user’s password which is sent to the
server in plaintext without a search.
• Regular — bind using the user’s DN and password and then
search
If the user records fall under one directory, you can use Simple bind
type. But Regular is required to allow a search for a user across
multiple domains.
User object class
The type of object class to search for a user name search. The
default is person.
Username attribute The LDAP attribute that contains the user name. The default is
sAMAccountName.
4. If you want to have a secure connection between the FortiAuthenticator unit and the remote
LDAP server, select Enable under Secure Connection and enter the following:
Protocol
Select LDAPS or STARTLS as the LDAP server requires.
CA Certificate
Select the CA certificate that verifies the server certificate.
5. Select OK. You can now add remote LDAP users.
Adding Remote LDAP users
Remote LDAP users must be imported into the FortiAuthenticator user database.
A FortiToken device already allocated to a local account cannot be allocated to an LDAP user
as well — it must be a different FortiToken device.
To add Remote LDAP users
1. Go to Authentication > Local User Management > Remote Users and select Import.
2. Select the Remote LDAP Server to import from and select Import Users.
3. Optionally, enter a Filter string to reduce the number of entries returned, and then select
Apply.
For example, uid=j* returns only user IDs beginning with “j”.
4. Select the entries you want to import and then select OK.
The default configuration imports the attributes commonly associated with Microsoft Active
Directory LDAP implementations. Select Configure user attributes to change this.
Selecting the field, FirstName for example, presents a list of attributes which have been
detected and can be selected. This list is not exhaustive and additional, non-displayed
attributes may available for import. Consult your LDAP administrator for an exhaustive list of
available attributes.
Fortinet Technologies Inc.
Page 39
FortiAuthenticator v2.1 Administration Guide
To add two-factor authentication to a Remote LDAP user
1. Go to Authentication > Local User Management > Remote Users.
2. Select and edit the chosen user.
3. Under Two-factor authentication, do one of the following:
• Select FortiToken and then select the FortiToken device serial number from the list.
• Select Email and enter the user’s email address.
• Select SMS and enter the user’s mobile information.
4. Select OK.
802.1X Authentication
The FortiAuthenticator unit supports several IEEE 802.1X Extensible Authentication Protocol
(EAP) methods. These include authentication methods most commonly used in WiFi networks.
Extensible Authentication Protocol is defined in the RFC 3748 and updated in RFC5247. EAP
does not include security for the conversation between the client and the authentication server,
so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.
The FortiAuthenticator unit supports several EAP methods:
Table 2: FortiAuthenticator-supported EAP methods
Method
Server Auth Client Auth Encryption Native OS
EAP-MD5
No
No
No
Windows (XP, Vista, 7), Mac
OSX, iOS, Linux, Android
PEAP (MSCHAPv2) Yes
No
Yes
Windows XP, Vista, 7
EAP-TTLS
Yes
No
Yes
Windows Vista, 7
EAP-TLS
Yes
Yes
Yes
Windows (XP, 7), Mac OSX,
iOS, Linux, Android
In addition to providing a channel for user authentication, EAP methods except EAP-MD5 also
provide certificate-based authentication of the server computer. EAP-TLS provides mutual
authentication: the client and server authenticate each other using certificates. This is essential
for authentication onto an enterprise network in a “bring your own device” (BYOD) environment.
For successful EAP-TLS authentication, the user’s certificate must be bound to their account in
Authentication > Local User Management > Local Users and the relevant RADIUS client in
Authentication > General > Auth Clients must permit that user to authenticate. By default, all
local users can authenticate, but it is possible to limit authentication to specified user groups.
The FortiAuthenticator unit and EAP
A FortiAuthenticator unit delivers all of the authentication features required for a successful
EAP-TLS deployment, including:
• Certificate Management - create and revoke certificates as a Certificate Authority. See
“Certificate Management” on page 58.
• Secure Certificate Enrolment Protocol (SCEP) Server - exchange a certificate signing request
(CSR) and the resulting signed certificate, simplifying the process of obtaining a device
certificate
• RADIUS AAA server - act as an authentication, authorization, and accounting (AAA) server
Fortinet Technologies Inc.
Page 40
FortiAuthenticator v2.1 Administration Guide
FortiAuthenticator unit configuration
You need to:
1. Create a CA certificate for the FortiAuthenticator unit. See “Certificate Authorities (CA)” on
page 59.
Optionally, you can skip this step and use an external CA certificate instead. You can go to
Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates.
2. Create a server certificate for the FortiAuthenticator unit, using the CA certificate you created
or imported in the preceding step. See “User and server certificates” on page 62.
3. If you configure EAP-TTLS authentication, go to Authentication > General > EAP Config and
configure the certificates for EAP. See “Configuring certificates for EAP” on page 41.
4. If SCEP will be used,
a. Configure an SMTP server to use for sending SCEP notifications. Then configure the
email service for the administrator to use the SMTP server that you created.
See “Configuring email servers and services” on page 16.
b. Go to Certificate Management > SCEP > General and select Enable SCEP.
c. In Default CA, select the CA certificate that you created or imported in Step 1, then select
OK.
5. Go to Authentication > Remote Auth. Servers and add the remote LDAP server that contains
your user database. See “Adding a remote LDAP server” on page 38.
6. Import users from the remote LDAP server. You can choose which specific users will be
permitted to authenticate. See “Adding Remote LDAP users” on page 39.
7. Go to Authentication > General > Auth Clients to add the FortiGate wireless controller as an
authentication client. Be sure to select the type of EAP authentication you intend to use. See
“Adding FortiGate units as authentication clients” on page 31.
8.
Configuring certificates for EAP
The FortiAuthenticator unit can authenticate itself to clients with a CA certificate.
1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the
certificate you will use.
2. Go to Authentication > General > EAP Config. Select the Trusted CAs and Local CAs to use
for EAP Authentication and then select OK.
Configuring switches to use 802.1X authentication
The 802.1X configuration will be largely vendor dependent. The key requirements are:
RADIUS Server IP: This is the IP address of the FortiAuthenticator
Key: The preshared secret configured in the FortiAuthenticator authentication client settings
Authentication Port: By default, FortiAuthenticator listens for authentication requests on port
1812
Fortinet Technologies Inc.
Page 41
FortiAuthenticator v2.1 Administration Guide
Configuring clients to use 802.1X authentication
Windows XP SP3
1. Open a Command Prompt window and run services.msc.
2. Right-click Wired Autoconfig and select Properties.
3. Set startup type to Automatic and then Start the service.
4. In the Log On tab, select Log on as local system account, then select OK.
5. Go to Control Panel > Network Connections, right-click on Local Area Connection and
select Properties.
6. Select the Authentication tab, select Enable IEEE 802.1X authentication and then select the
Protected EAP (PEAP) authentication method.
7. Select Settings. In the Protected EAP Properties window, de-select Validate server
certificate, and under Select Authentication Method, select Secure password
(EAP-MSCHAP v2).
8. Select Configure and deselect Automatically use my Windows logon name and password.
Select OK.
9. Connect the PC to a network interface where 802.1X is enabled. A pop-up message will
state that additional information is required to connect to the network. Select the pop-up
message. Enter your User name and Password. Select Save this User name and password
for future use.
10.Select OK.
Windows 7 - for EAP-TTLS authentication
1. On the FortiAuthenticator, go to Certificate Management > End Entities > Local Services and
export the server certificate.
2. On the Windows computer, install the FortiAuthenticator server certificate:
a. Locate the exported server certificate file and double-click it.
The Certificate window opens.
b. In the Certificate window, select Install Certificate, and then select the certificate store
Trusted Root Certification Authorities.
c. Respond Yes to the security warning about installing the certificate into the certificate
store.
3. On the Windows computer, open the Intel Proset/Wireless connection utility.
4. Select your SSID and then select Properties.
Fortinet Technologies Inc.
Page 42
FortiAuthenticator v2.1 Administration Guide
5. In Security Settings > TTLS User,
a. Select TTLS as Authentication type.
b. In Authentication Protocol, select PAP.
c. In Use Credentials, select Prompt each time I connect.
6. In Security Settings > TTLS Server, ensure Validate Server certificate is enabled and select
the FortiAuthenticator Server certificate that you previously installed.
7. Select OK.
When you connect to this SSID, you are prompted for login credentials. Enter your LDAP
account name and password.
Fortinet Technologies Inc.
Page 43
FortiAuthenticator v2.1 Administration Guide
Windows 7 - for PEAP authentication
This procedure uses the native Windows 7 supplicant. The Intel Proset supplicant configuration
is similar.
1. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities >
Trusted CAs and export the CA certificate used to sign the FortiAuthenticator certificate.
2. On the Windows computer, install the CA certificate exported from the FortiAuthenticator
unit:
a. Locate the exported CA certificate file, double-click it, and select Open.
b. Select Install Certificate.
The Certificate Import Wizard starts.
c. Select Next.
d. Select Place all Certificates in the following store, select the certificate store Trusted Root
Certification Authorities, and then select Next.
e. Select Finish. Respond Yes to the security warning about installing the certificate into the
certificate store.
3. On the Windows computer, open the wireless properties from the task bar, right-click the
PEAP protected SSID, and then select Properties.
The Security type and Encryption type are usually detected correctly, but can be changed if
needed.
4. Select Settings and ensure that Validate Server Certificate is selected.
5. Select OK.
Fortinet Technologies Inc.
Page 44
FortiAuthenticator v2.1 Administration Guide
MAC-based authentication
Non-802.1X compliant devices can be identified and accepted onto the network via MAC
address authentication. The MAC address is used as both the username and the password.
To configure MAC-based authentication for a device
1. Go to Authentication > Local User Management > MAC-based Auth.
2. Enter a Name for the device and enter the device’s MAC address.
3. Select OK.
Monitoring user authentication
You can monitor user authentication activity on the dashboard and in the logs.
For RADIUS Authentication and two-factor authentication, the FortiAuthenticator unit cannot
tell who is logged on at any one time, only that they authenticated at a specific time. Also, log
off of these users is not detected.
Dashboard
On the dashboard there are two user related widgets.
The Authentication Activity widget is a graph that tracks the number of authentications over
time. It can display successful, failed, or all authentications, or a combination of all three.
Multiple occurrences of this widget can be displayed on the dashboard, and configured
individually.
The User Inventory widget displays the total number of configured users, groups, and
FortiTokens. It also tracks the number of disabled users and FortiTokens.
Fortinet Technologies Inc.
Page 45
FortiAuthenticator v2.1 Administration Guide
Fortinet Single Sign On (FSSO)
Fortinet Single Sign-On (FSSO) is a set of methods to transparently authenticate users to
FortiGate devices. FortiAuthenticator takes this framework and enhances it with several
authentication methods:
• Users can authenticate through a web portal and a set of embeddable widgets.
• Users with FortiClient Endpoint Security installed can be automatically authenticated
through the FortiClient SSO Mobility Agent.
• Users authenticating against Active Directory can be automatically authenticated.
• RADIUS Accounting packets can be used to trigger an FSSO authentication.
• An authentication portal is available to provide manual authentication into FSSO if other
methods are not available.
This section describes FSSO only. For FSSO authentication methods, there is no need to
configure anything under SSO & Dynamic Policies > SSO > Dynamic Policy or Accounting
Proxy.
This chapter describes
• Configuring FortiAuthenticator for FSSO
• Configuring FortiAuthenticator Logon Detection Methods
• Monitoring Single Sign-On activity
Configuring FortiAuthenticator for FSSO
The FortiAuthenticator unit must be configured to collect the relevant user logon data. After this
basic configuration is complete, the various methods of collecting the login information can be
set up as needed.
Basic configuration
The FortiAuthenticator unit listens for requests from authentication clients and can poll
Windows Active Directory servers.
To configure FortiAuthenticator FSSO polling
1. Go to SSO & Dynamic Policies > SSO > Options.
2. In the FortiGate section, enter:
Fortinet Technologies Inc.
Listening port
Leave at 8000 unless your network requires you to change
this. Ensure this port is allowed through the firewall.
Login Expiry (in minutes)
The length of time users can remain logged in before the
system logs them off automatically. The default is 480 minutes
(8 hours).
Page 46
FortiAuthenticator v2.1 Administration Guide
3. Select Enable Authentication and configure:
Secret key
Enter a password. Use the same password when configuring
the FSSO Agent on FortiGate units.
Log Level
Select one of Debug, Info, Warning, or Error as the minimum
severity level of event to log.
4. In the Fortinet Single Sign-On (FSSO) section, enter
Enable Windows Active
Directory domain
controller polling
Select to enable the detection of user sign-ons by parsing the
domain controller's security logs.
Enable Radius
Accounting SSO clients
Select to enable the detection of users sign-ons and sign-offs
from incoming RADIUS accounting (Start, Stop, and
Interim-Update) records.
Use remote LDAP server
for SSO groups lookup
Select the remote LDAP server you configured. See
“Configuring the remote LDAP server” on page 50.
Enable FortiClient service Select to enable single sign-on by clients running FortiClient
Endpoint Security. Enter the same secret key that you enter in
the FortiClient Single Sign-On Mobility Agent settings.
5. Select OK.
Configuring FortiGate units for FSSO
Each FortiGate unit that will use FortiAuthenticator to provide Single Sign-On authentication
must be configured to use the FortiAuthenticator unit as an SSO server.
To configure Single Sign-On authentication on the FortiGate unit
1. On the FortiGate unit, go to User & Device > Authentication > Single Sign-On and select
Create New.
2. In Type, select Fortinet Single-Sign-On Agent.
3. Enter a Name for the FortiAuthenticator unit.
4. In Primary Agent IP/Name, enter the IP address of the FortiAuthenticator unit.
5. In Password, enter the secret key that you defined for the FortiAuthenticator unit.
See “Configuring FortiAuthenticator for FSSO” on page 46.
6. Select OK.
In a few minutes, the FortiGate unit receives a list of user groups from the FortiAuthenticator
unit. The entry in the Single Sign-On server list shows a blue caret.
When you open the server, you can see the list of groups. You can use the groups in
identity-based security policies.
Fortinet Technologies Inc.
Page 47
FortiAuthenticator v2.1 Administration Guide
Configuration of the FortiGate units on FortiAuthenticator
SSO & Dynamic Policies > SSO > Options > FortiGate
Group Filtering
If you are providing SSO to only certain groups on a remote LDAP server, you can filter the
polling information so that it includes only those groups.
To create a group filter
1. Go to SSO & Dynamic Policies > SSO > FortiGate Group Filtering and select Create New.
2. Select Forward FSSO information for users from the following subset of groups only.
3. Choose the desired SSO groups and move them to the Selected SSO group list.
4. Select OK.
Domain Controller
If you will use Active Directory to ascertain the group info, you need to configure the
FortiAuthenticator unit to communicate with the Domain Controllers.
You can disable a Domain Controller entry without removing its configuration. This is useful
when testing, troubleshooting, or moving controllers within your network.
In order to properly discover the available domains and domain controllers, the DNS settings
must specify a DNS server that can provide the IP addresses of the domain controllers.
To add a domain controller to FortiAuthenticator
1. Go to SSO & Dynamic Policies > SSO > Domain Controllers.
2. Select Create New, enter the following information, and then select OK.
NetBIOS Name
Enter the name of the Domain Controller as it appears in NetBIOS.
Display Name
This is a unique name to easily identify this Domain Controller.
Network Address
Enter the network IPv4 address of this controller.
Account
Enter the account name used to access logon events. This account
should have administrator rights.
Password
Enter the password for the account selected above.
Priority
You can define two (or more) Domain Controllers for the same
domain. Each can be designated Primary or Secondary. The Primary
unit is accessed first.
3. Repeat step 2 for each Domain Controller that the FortiAuthenticator unit will poll.
4. Select OK.
By default, FortiAuthenticator uses auto-discovery of Domain Controllers. If you want to restrict
operation to the configured domain controllers only, go to SSO & Dynamic Policies > SSO >
Options and select Restrict auto-discovered domain controllers to configured domain
controllers.
Fortinet Technologies Inc.
Page 48
FortiAuthenticator v2.1 Administration Guide
IP filtering
Optionally, you can restrict the user logon information that is sent to FortiGate units to users in
particular IP address ranges. If no filters are defined, information is sent for all addresses.
To create IP filtering rules
1. Go to SSO & Dynamic Policies > SSO > IP Filtering Rules.
2. Select Create New.
3. Enter a Name for the rule.
4. In Filter Type, select whether the rule will specify a IP address with a netmask or an IP
address range.
5. In Rule, enter either IP address/netmask or IP start/end addresses, depending on Filter Type.
• IP/Mask example: 10.0.0.1/255.255.255.0
• IP Range example: 10.0.0.1/10.0.0.99
6. Select OK.
7. Repeat steps 2 through 6 to create addtional rules.
Configuring FortiAuthenticator Logon Detection Methods
The FortiAuthenticator unit can use several methods to detect user logons:
• Active Directory polling
• SSO Login portal
• FortiClient SSO Mobility Agent
• RADIUS to FSSO
Configure the detection methods that you intend to use.
Active Directory polling
FortiAuthenticator regularly polls the domain controller to read the Windows Security Event
Logs. Once the basic configuration is complete, Active Directory polling is essentially ready and
only needs to be enabled.
Make sure that the administrator specified in SSO & Dynamic Policies > SSO > Domain
Controllers has adequate permissions to remotely access the Windows Security Event Logs.
The AD Admin used for bind should be specified in the format
[email protected], not
cn=DomainAdmin,cn=Users,dc=corp,dc=admin,dc=com
To enable Active Directory polling
1. Go to SSO & Dynamic Policies > SSO > Options.
2. Under Fortinet Single Sign-On (FSSO), select Enable Windows Active Directory domain
controller polling.
3. Select Restart SSO Service. (?)
4. Select OK.
Fortinet Technologies Inc.
Page 49
FortiAuthenticator v2.1 Administration Guide
SSO Login portal
The SSO portal supports a logon widget that you can embed in any web page. Typically, an
organization would embed the widget on its home page. The widget looks like this:
User not logged in. Click Login to go to the FortiAuthenticator
login page.
User logged in. Name displayed. Logout button available.
The SSO portal sets a cookie on the user’s browser. When the user browses to a page
containing the login widget, the FortiAuthenticator unit recognizes the user and updates its
database if the user’s IP address has changed. The user will not need to re-authenticate until
the login timeout expires, which can be up to 30 days. To log out of FSSO immediately, the user
can select the Logout button in the widget.
Configuring the remote LDAP server
The use of a remote LDAP server is optional. If enabled, it is first used to verify the login
password. If user credentials are valid, it is then used to retrieve the user group info.
To configure remote LDAP server entry
1. Go to Authentication > Remote Auth. Servers > LDAP.
2. Select Create New.
3. Enter the following information.
Name
Enter the name for the remote LDAP server on
FortiAuthenticator.
Server name/IP
Enter the IP address or FQDN for this remote server.
Common name identifier
The identifier used for the top of the LDAP directory tree
as it applies to FortiAuthenticator users. This may be the
top of the tree, or only a smaller branch of it.
cn is the default, and is used by most LDAP servers.
Base distinguished name
Enter the base distinguished name for the server.
Example: DC=corp,DC=example,DC=com
You can also select the Browse button to view and select
the DN on the LDAP server.
Bind Type
Select Regular and enter the User DN and Password of an
account that has permissions to read the security event
log. User DN example:
[email protected]
If the user records fall under one directory, you can use
Simple bind type. But Regular is required to allow a
search for a user across multiple domains.
Fortinet Technologies Inc.
User object class
person
Username attribute
sAMAccountName
Page 50
FortiAuthenticator v2.1 Administration Guide
4. If you want to have a secure connection between the FortiAuthenticator unit and the remote
LDAP server, select Enable under Secure Connection and enter the following:
Protocol
Select LDAPS or STARTLS as the LDAP server requires.
CA Certificate
Select the CA certificate that verifies the server certificate.
5. Select OK.
Enabling the SSO portal
To enable the Single Sign-on portal
1. Go to SSO & Dynamic Polices > SSO > Login Portal.
2. Select Enable SSO Portal.
3. Enable as appropriate
• Local Users - either all users or users from groups you select
• Remote users from an LDAP server - Select the LDAP server and then select either all
users on the server or users from groups that you select.
4. Enter the Login timeout in days. When this time expires, the user must re-authenticate.
5. Optionally, copy the code in Embeddable login widget for use on your organization’s home
page. The widget will look like the Login widget demo.
6. Select OK.
FortiClient SSO Mobility Agent
The FortiClient SSO Mobility Agent is a feature of FortiClient Endpoint Security v5.0. The agent
automatically provides user name and IP address information to the FortiAuthenticator unit for
transparent authentication. IP address changes, such as those due to WiFi roaming, are
automatically sent to the FortiAuthenticator. When the user logs off or otherwise disconnects
from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.
In SSO Options, the FortiClient Service must be enabled. See “Configuring FortiAuthenticator
for FSSO” on page 46.
To configure FortiClient SSO Mobility Agent
1. In FortiClient Endpoint Security, go to File > Settings.
You must run the FortiClient application as an administrator to access these settings.
2. Select Enable single sign-on mobility agent. Enter the FortiAuthenticator unit IP address,
including the listening port number specified on the FortiAuthenticator unit.
Example: 192.168.0.99:8001. You can omit the port number if it is 8005.
3. Enter the preshared key.
4. Select OK.
Fake client protection
Some attacks are based on a user authenticating to an unauthorized AD server in order to spoof
a legitimate user logon through the FortiClient SSO Mobility Agent. You can prevent this type of
attack by enabling NTLM authentication in SSO Options. Go to Authentication > SSO &
Dynamic Policies > SSO > Policies. The FortiAuthenticator unit will initiate NTLM authentication
with the client, proxying the communications only to the legitimate AD servers it is configured to
use.
Fortinet Technologies Inc.
Page 51
FortiAuthenticator v2.1 Administration Guide
If NTLM is enabled, the FortiAuthenticator unit requires NTLM authentication when
• the user logs on to a workstation the first time
• the user logs off and then logs on again
• the workstation IP address changes
• the workstation user changes
• NTLM authentication expires (configurable under SSO Options)
RADIUS to FSSO
FSSO can also be based on RADIUS accounting records. You need to configure the
FortiAuthenticator as a RADIUS accounting client to the RADIUS server.
To configure and enable a RADIUS accounting client
1. Go to SSO & Dynamic Policies > SSO > RADIUS Accounting and select Create New.
2. Enter a Name to identify the RADIUS accounting client on the FortiAuthenticator.
3. Enter the RADIUS accounting client’s FQDN or IP address and the Secret (preshared key).
4. Select the SSO user category: External, Local users, or Remote users.
5. If needed, customize the RADIUS attributes for user name, client IP address, and user group
name to match the ones used in the incoming RADIUS accounting records.
6. Select OK.
7. Go to SSO & Dynamic Policies > SSO > Options and select Enable RADIUS Accounting SSO
clients. Then, select OK.
Monitoring Single Sign-On activity
FortiAuthenticator can monitor the units that make up FSSO. This is useful to ensure there is a
connection to the different components when troubleshooting.
Monitoring domains
Go to Monitor > Domains to view active domains. If you hover an entry, additional information is
displayed.
Monitoring SSO users
For this, go to Monitor > SSO Users.
Fortinet Technologies Inc.
Page 52
FortiAuthenticator v2.1 Administration Guide
Monitoring domain controllers
Go to Monitor > Domain Controllers to view FSSO domain controllers that are registered with
the FortiAuthenticator unit.
Monitoring FortiGate units
Go to Monitor > FortiGates to view FortiGate units that are registered with the FortiAuthenticator
unit.
Viewing SSO authentication events on the FortiGate unit
User authentication events are logged in the FortiGate event log. Go to Log & Report >
Event Log > User.
Fortinet Technologies Inc.
Page 53
FortiAuthenticator v2.1 Administration Guide
Supporting RADIUS Single Sign On
(RSSO)
A FortiGate or FortiMail unit can authenticate users transparently who have already
authenticated on an external RADIUS server. However, there are potential difficulties with this
approach:
• The RADIUS Server is business-critical IT infrastructure, limiting the changes that can be
made to the server configuration.
• In some cases, the server can send accounting records only to a single endpoint. Some
network topologies may require multiple endpoints.
The FortiAuthenticator RADIUS Accounting Proxy overcomes these limitations by proxying the
RADIUS accounting records, modifying and replicating them to the multiple subscribing
endpoints as needed.
Configuring the RADIUS Accounting Proxy
The accounting proxy needs to know
• the source of the RADIUS accounting records: the RADIUS server
• rule sets to define or derive the RADIUS attributes that the FortiGate or FortiMail unit
requires
• the destination(s) of the accounting records: the FortiGate or FortiMail units using this
information for RADIUS SSO authentication
Defining the RADIUS accounting source
To configure the RADIUS Accounting Proxy source
1. Go to SSO & Dynamic Policies > Accounting Proxy > Sources and select Create New.
2. Enter
Name
An identifier for the RADIUS server. This is used in FortiAuthenticator
configurations.
Source name/IP
The FQDN or IP address of the server.
Secret
The shared secret required to access the server.
3. Select OK.
Defining rule sets
A rule set can contain multiple rules. Each rule can do one of:
• add an attribute with a fixed value
• add an attribute retrieved from a user’s record on an LDAP server
• rename an attribute to make it acceptable to the accounting proxy destination
The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a
description to each rule set to help you remember each rule set’s purpose.
Fortinet Technologies Inc.
Page 54
FortiAuthenticator v2.1 Administration Guide
Rules access RADIUS attributes of which there are both standard and vendor-specific attributes
(VSAs). To select a standard attribute, select the Default vendor.
To configure RADIUS Accounting Proxy rule sets
1. Go to SSO & Dynamic Policies > Accounting Proxy > Rule Sets and select Create New.
2. Enter a Name to use when selecting this rule set for an accounting proxy destination.
3. Enter a brief Description of the rule’s purpose.
4. Enter one or more rules.
The Action for each rule can be either Add or Modify. An Add rule adds either a static value
or a value derived from an LDAP server. A Modify rule simply renames an attribute. To enter
an attribute, you select [Browse] and choose the appropriate Vendor and Attribute ID. If the
attribute addition requires an LDAP server, in Remote LDAP you can select any LDAP server
that has been defined in Authentication > Remote Auth Servers.
The Value type option Group names looks up the user’s group memberships on the specified
LDAP server and creates an attribute for each group found. The Attribute 2 field must specify
an attribute that provides the user’s name.
The Value type option Services looks up the user’s group memberships on the specified
LDAP server and creates an attribute for each group-to-service mapping under
SSO & Dynamic Policies > Dynamic Policy > SSO Group Mapping. The Attribute 2 field must
specify an attribute that provides the user’s name.
The Value type option UTM profile groups looks up the user’s group memberships on the
specified LDAP server and creates an attribute for the first match in group-to-UTM profile
group mappings under SSO & Dynamic Policies > Dynamic Policy > SSO Group Mapping.
The Attribute 2 field must specify an attribute that provides the user’s name.
5. If needed select Add another Rule to provide the fields for an additional rule.
6. Select OK.
Example
The incoming accounting packets contain the following fields:
• User-Name
• NAS-IP-Address
• Fortinet-Client-IP-Address
The outgoing accounting packets need to have these fields:
• User-Name
• NAS-IP-Address
• Fortinet-Client-IP-Address
• Session-Timeout: Value is always 3600
• Fortinet-Group-Name : Value is obtained from user's group membership on remote LDAP
• Service-Type : Value is obtained from user's group membership and SSO Group Mapping
The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and
Service-Type.
Fortinet Technologies Inc.
Page 55
FortiAuthenticator v2.1 Administration Guide
Figure 4: Example ruleset
Figure 5: Example ruleset expanded
Fortinet Technologies Inc.
Page 56
FortiAuthenticator v2.1 Administration Guide
Defining destinations for RADIUS accounting records
The destination of RADIUS accounting records is the FortiGate or FortiMail unit that will use the
records to identify users. When you define the destination, you also specify the source of the
records (a RADIUS client already defined as a source) and the rule set to apply to the records.
To configure RADIUS Accounting Proxy destinations
1. Go to SSO & Dynamic Policies > Accounting Proxy > Destinations and select Create New.
2. Enter
Name
A name to identify the destination device in your configuration.
Destination name/IP The FQDN or IP address of the FortiGate or FortiMail unit that will
receive the RADIUS accounting records.
Secret
The preshared key of the destination (a FortiGate unit, for example).
Source
A RADIUS client defined as a source in SSO & Dynamic Policies >
Accounting Proxy > Sources.
Rule set
An appropriate rule set defined in SSO & Dynamic Policies >
Accounting Proxy > Rule Sets.
3. Select OK.
Fortinet Technologies Inc.
Page 57
FortiAuthenticator v2.1 Administration Guide
Certificate Management
The FortiAuthenticator unit has several roles that involve certificates.
Certificate Authority
The administrator generates CA certificates that can validate
the user certificates generated on this FortiAuthenticator unit.
The administrator can also import other CA’s CA certificates
and Certificate Revocation Lists (CRLs). These functions are
available under Certificate Management > Certificate
Authorities > Certificates.
The administrator generates, signs, and revokes user
certificates. These functions are available under
Certificate Management > Users > Certificates.
SCEP Server
A SCEP client (user) can:
• retrieve any of the CA certificates in
Certificate Management > Certificate Authorities >
Certificates
• have its own user certificate signed by the
FortiAuthenticator unit certificate authority.
Remote LDAP
Authentication
Acting as an LDAP client, the FortiAuthenticator unit
authenticates users against an external LDAP server. It
verifies the identity of the external LDAP server by using a CA
certificate stored in Certificate Management >
Certificate Authorities > Trusted Certificates.
EAP Authentication
(WiFi clients)
The FortiAuthenticator unit checks that the client’s certificate
is signed by one of the authorized CA certificates configured
under Authentication > General > EAP CA Certificates, which
come from Certificate Management > Certificate Authorities >
Certificates or Certificate Management >
Certificate Authorities > Trusted Certificates. The client
certificate must also match one of the certificates in
Certificate Management > Users > Certificates.
This section describes how FortiAuthenticator allows you to manage certificates including
acting as a Certificate Authority.
FortiAuthenticator can act as a Certificate Authority (CA) for the creation and signing of X.509
certificates such as server certificates for HTTPS and SSH, and client certificates for HTTPS,
SSL, and IPSEC VPN.
Any changes made to certificates generate log entries that can be viewed at Logging > Log
Access > Logs. See “Logging” on page 66.
This chapter includes:
• Certificate Authorities (CA)
• User and server certificates
Fortinet Technologies Inc.
Page 58
FortiAuthenticator v2.1 Administration Guide
Certificate Authorities (CA)
A certificate authority (CA) is used to sign other server and client certificates. The authority
comes from a well-known trusted authority trusting the CA. You must have a CA certificate on
your FortiAuthenticator before you can generate a user certificate.
Different CAs can be used for different domains or certificates. For example if your organization
is international you may have a CA for each country, or smaller organizations might have a
different CA for each department. The benefits of multiple CAs include redundancy in case there
are problems with one of the well-known trusted authorities,
Once you have created a CA certificate, you can export it to your local computer.
This section includes:
• Certificates
• Certificate Revocation List (CRL)
Certificates
Do not press Enter until you have completed entering all of the information, otherwise you will
create a certificate with incomplete information.
Subject Alternative Names (SAN) allow you to protect multiple host names with a single SSL
certificate. SAN is part of the X.509 certificate standard. An example of where SANs are used is
to protect multiple domain names such as www.example.com and www.example.net. This
contrasts a wildcard certificate that can only protect all first-level subdomains on one domain,
such as *.example.com.
The certificate information including subject, issuer, status, and CA type are displayed on the
Certificate Management > Certificate Authorities > Local CAs page.
If you have many certificates, you can use the search feature to find one or more specific
certificates. The search will return certificates that match either subject or issuer.
To create a CA certificate
1. Go to Certificate Management > Certificate Authorities > Local CAs.
2. Select Create New.
3. Enter the following information and select OK.
Certificate Authority Type Select one of the following:
• Root CA certificate — a self-signed CA certificate
• Intermediate CA certificate — a CA certificate that
refers to a different root CA as the authority.
• Intermediate CA certificate signing request (CSR)
The fields displayed change based on your certificate
type.
Certificate Authority
Select one of the available certificate authorities (CAs)
configured on the FortiAuthenticator.
This field is displayed only when Intermediate CA
certificate is selected.
Fortinet Technologies Inc.
Page 59
FortiAuthenticator v2.1 Administration Guide
Subject information
Subject input method Select to enter either a Fully distinguished name (DN) or
Field-by-Field. Default value is Field-by-Field.
The fields displayed for subject information change based
on your subject input method.
Subject DN
Enter the full DN of the subject. For example c=CA,
o=Fortinet, cn=John Smith. Valid DN attributes are
C, ST, L, O, OU, CN, and emailAddress. They are
case-sensitive.
This field is only displayed when fully distinguished name
(DN) subject input method is selected.
Name (CN)
Company (O)
Department (OU)
City (L)
State/Province (ST)
Enter each value in the field provided.
Country (C)
Select your country from the drop-down list. Each country
includes its two-letter code.
These fields need to match the information user who will
be using the certificate — the fields will be assembled into
a distinguished name for the certificate.
Subject Alternative Name
Email
Enter the email address of a user to map to this certificate.
This field is not available if certificate type is CSR.
User Principal Name
(UPN)
Enter the user principal name used to find the user’s
account in Microsoft Active Directory. This will map the
certificate to this specific user. The UPN is unique for the
Windows Server domain. This is a form of one-to-one
mapping.
This field is not available if certificate type is CSR.
Additional Options
Validity Period
Select how long before this certificate expires.
Select either a set number of days and enter the total
number of days before this certificate expires (such as
3650 days for a life of 10 years), or set an expiry date by
entering the expiry date in YYYY-MM-DD format, selecting
Today, or use the Calendar icon to help you select a date.
This field is not available if certificate type is CSR.
Key Type
The key type is set to RSA.
Key Size
Select the key size as one of 1024, 2048, or 4096 Bits
long.
Hash Algorithm
Select the hash algorithm used as one of SHA-1 or
SHA-256.
To import a CA certificate
1. Go to Certificate Management > Certificate Authorities > Local CAs.
Fortinet Technologies Inc.
Page 60
FortiAuthenticator v2.1 Administration Guide
2. Select Import.
3. Enter the following information and select OK.
Type
Select the type of CA certificate to import: PKCS12
Certificate or Certificate and Private Key.
PKCS12 certificate file
Select the certificate file from your local computer to
upload to the FortiAuthenticator. This field is visible
only if PKCS12 type is selected.
Certificate file
Select the certificate file from your local computer to
upload to the FortiAuthenticator. This field is visible
only if you selected Certificate and Private Key type.
Private key file
Select the private key file from your local computer to
upload to the FortiAuthenticator. This field is visible
only if you selected Certificate and Private Key type.
Passphrase
Enter the passphrase associated with this certificate.
Serial number radix
Select the radix of the serial number as either decimal
or hex.
Initial serial number
Enter the starting serial number for the CA certificate.
Certificate Revocation List (CRL)
A Certificate Revocation List (CRL) is a file that contains a list of revoked certificates, their serial
numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL,
the effective date, and the next update date. By default, the shortest validity period of a CRL is
one hour.
Some potential reasons for certificates to be revoked include:
• a CA server was hacked and its certificates are no longer trustworthy,
• a single certificate was compromised and is no longer trustworthy, or
• in some cases when certificates expire they are added to the list to ensure they are not used
past their lifetime.
To import a Certificate Revocation List (CRL)
1. Download the most recent CRL from a CRL Distribution Point (CDP). One or more CDPs are
usually listed in a certificate under the Details tab.
2. Go to Certificate Management > Certificate Authorities > CRLs.
3. Select Import.
4. Select a CRL file from your local computer, and select OK.
When successful, the CRL will be displayed in the CRL list on the FortiAuthenticator. You can
select it to see the details.
Locally created CRL
When you import a CRL, it is from another authority. If you are creating your own CA certificates,
then you can also create your own CRL to go with them.
As a CA, you sign user certificates. If for any reason you need to revoke one of those
certificates, it will go on a local CRL. When this happens you need to export the CRL to all your
certificate users so they are aware of the revoked certificate.
To create a local CRL
1. Create a local CA certificate. See “Certificate Authorities (CA)” on page 59.
Fortinet Technologies Inc.
Page 61
FortiAuthenticator v2.1 Administration Guide
2. Create one or more user certificates. See “User and server certificates” on page 62.
3. Go to Certificate Management > End Entities > Users.
4. Select one or more certificates and select Revoke.
You will be prompted for the reason for the revocation as one of:
• Unspecified
• Key has been compromised
• CA has been compromised
• Changes in affiliation
• Superseded
• Operation ceased
• On hold
Some of these reasons are security related (such as key or CA compromised) where others
are more business related — change in affiliation could just be an employee leaving the
company, or operation ceased could be a project that was cancelled.
5. Select OK.
The certificates selected will be removed from the User Certificate list, and a CRL will be
created with those certificates as entries in the list.
If there is already a CRL for the CA that signed the user certificates, they will be added to the
current CRL.
If at a later date one or more CAs are deleted, their corresponding CRLs will be deleted as well,
along with any user certificates they signed.
Configuring Online Certificate Status Protocol
As well as manual CRL, FortiAuthenticator also supports Online Certificate Status Protocol
(OCSP), defined in RFC2560. To use OCSP, configure the FortiGate unit to use TCP port 2560
on the FortiAuthenticator IP address.
For example, configuring OCSP in FortiGate CLI for a FortiAuthenticator with an IP address of
172.20.120.16, looks like this
config vpn certificate ocsp-server
edit fac_ocsp
set cert "REMOTE_Cert_1"
set url "http://172.20.120.16:2560"
end
User and server certificates
User and server certificates are required for mutual authentication on many HTTPS, SSL, and
IPsec VPN network resources. You can create a user certificate on FortiAuthenticator or import
and sign a Certificate Signing Request (CSR). User certificates, client certificates, or local
computer certificates are the same type of certificate.
To create a certificate
1. User certificate: go to Certificate Management > End Entities > Users.
Server certificate: go to Certificate Management > End Entities > Local Services.
2. Select Create New.
Fortinet Technologies Inc.
Page 62
FortiAuthenticator v2.1 Administration Guide
3. Enter the following information and select OK.
The Certificate Authority used must be valid and current. If it is not you will have to create or
import a CA certificate before continuing. See “Certificate Authorities (CA)” on page 59.
Certificate Signing Options
Certificate Authority
Select one of the available certificate authorities (CAs) configured
on the FortiAuthenticator from the drop-down list. The CA must be
current.
Subject information
Subject input
method
Select to enter either a Fully distinguished name (DN) or
Field-by-Field. Default value is Field-by-Field.
Subject DN
Enter the full DN of the subject. For example C=CA,
O=Fortinet, CN=John Smith. Valid DN attributes are C, ST, L,
O, OU, CN, and emailAddress. They are case-sensitive.
This field is only displayed when fully distinguished name (DN)
subject input method is selected.
Enter each value in the field provided.
Name (CN)
Company (O)
Department (OU)
City (L)
State/Province
(ST)
Country (C)
Select your country from the drop-down list. Each country
includes its two-letter code.
Subject Alternative Name
Email
Enter the email address of a user to map to this certificate.
User Principal
Name (UPN)
Enter the user principal name used to find the user’s account in
Microsoft Active Directory. This will map the certificate to this
specific user. The UPN is unique for the Windows Server domain.
This is a form of one-to-one mapping.
Additional Options
Validity Period
Select how long before this certificate expires.
Select either a set number of days and enter the total number of
days before this certificate expires (such as 3650 days for a life of
10 years), or set an expiry date by entering the expiry date in
YYYY-MM-DD format, selecting Today, or use the Calendar icon to
help you select a date.
Key Type
Fortinet Technologies Inc.
The key type is set to RSA.
Page 63
FortiAuthenticator v2.1 Administration Guide
Key Size
Select the key size as one of 1024, 2048, or 4096 Bits long.
Hash Algorithm
Select the hash algorithm used as one of SHA-1 or SHA-256.
4. Confirm the certificate information is correct by selecting the certificate entry.
This will bring up the text of the certificate including the version, serial number, issuer,
subject, effective and expiration dates, and the extensions.
If any of this information is out of date or incorrect, you will not be able to use this certificate.If
this is the case, delete the certificate and re-enter the information.
5. Once the information is confirmed, you can export the certificate to the user’s computer and
import it into the proper application there, such as browser or FortiClient.
Signing user certificates
Users can request a user certificate through online SCEP. As administrator, you can allow the
FortiAuthenticator unit to either automatically sign the user’s certificate or alert you about the
request for signature.
To set signing policy
1. Go to Certificate Management > SCEP > General.
2. In Enrollment Method select either Automatic or Manual and Automatic.
3. Select OK.
Online certificates (SCEP)
The FortiAuthenticator contains a Simple Certificate Enrollment Protocol (SCEP) server. It can:
• Sign user certificate signing requests (CSR). There are 2 methods:
• Automatic: Pre-approved by admin. In this case, admin enters the certificate info on FAC
and gives the user a challenge password to use when submitting his/her request
• Manual: User submits the CSR. Request shows up as pending on FAC. Admin has to
manually approve the pending requests.
• Distribute Certificate Revocation Lists (CRLs).
• Distribute Certificate Authority (CA) certificates.
To use SCEP, you must:
• Enable HTTP administrative access on the interface connected to the Internet. Go to System
> Network > Interfaces.
• Add the CA certificate for your certificate authority (Go to Certificate Management >
Certificate Authorities > Certificates).
• Select the Certificate Authority to use for SCEP. (Go to Certificate Management > SCEP >
Settings).
Fortinet Technologies Inc.
Page 64
FortiAuthenticator v2.1 Administration Guide
To install or import a signed server certificate using SCEP
1. Go to Certificate Management > SCEP > Enrollment Requests and select Create New.
2. Select the Certificate authority. You must have the CA certificate installed.
3. Enter the user DN, either as a Fully distinguished name in the Subject DN field, or
Field-by-field.
4. Select the Validity period for the certificate.
5. Optionally, enter your email address and your Active Directory User Principal Name (UPN).
6. Select how the Challenge password for the certificate will be sent:
• Display on the screen
• by SMS (enter mobile number and provider information)
• E-mail (enter email address
7. Select OK.
Fortinet Technologies Inc.
Page 65
FortiAuthenticator v2.1 Administration Guide
Logging
Accounting is an important part of FortiAuthenticator as with any authentication server. Logging
provides a record of the events that have taken place on the FortiAuthenticator.
Configuring logging
Backing up logs to a remote FTP server
You can periodically save a copy of your logs to a remote FTP server.
To add an FTP server
1. Go to Logging > Log Config > FTP Servers and select Create New.
2. Enter
Name
This name identifies this FTP server in your configuration.
Address
The IP address of the FTP server.
Port
The TCP port on which to communicate with the FTP server. Default: 21.
Anonymous By default, the FortiAuthenticator connects anonymously to the FTP server. If
the server requires a logon, clear Anonymous and enter the Username and
Password to use.
3. Select OK.
To configure remote log backup
1. Go to Logging > Log Config > Log Setting.
2. Select Enable remote backup.
3. Select the Frequency and Time of backup.
4. Select the FTP Server to use.
5. Select OK.
Logging to a remote syslog server
Instead of accumulating logs locally, you can send them to a remote syslog server.
To add a syslog server
1. Go to Logging > Log Config > Syslog Servers and select Create New.
2. Enter
Fortinet Technologies Inc.
Name
This name identifies this syslog server in your configuration.
Address
The IP address of the syslog server.
Port
The UDP port on which to communicate with the syslog server. Default: 514.
Level
The minimum severity level of log to record.
Facility
The identifier to use for this unit in syslog records.
Page 66
FortiAuthenticator v2.1 Administration Guide
3. Select OK.
To configure remote logging
1. Go to Logging > Log Config > Log Setting.
2. Enable Send logs to remote syslog servers.
3. Select one or more servers in Available syslog servers and move them to
Chosen syslog servers.
4. Select OK.
Auto-deletion of old logs
You can automatically delete older logs.
To configure auto-deletion of logs
1. Go to Logging > Log Config > Log Setting.
2. Select Enable log auto-deletion.
3. Enter the maximum age of logs to keep, in days, weeks, or months.
4. Select OK.
Accessing logs
To access logs, go to Logging > Log Access > Logs. The Logs page has controls to help you
search your logs for the information you need. This includes:
• Search button
• Log entry order
• Log Type Reference
Search button
You can enter a string to search for in the log entries. The string must appear in the Message
portion of the log entry to result in a match for the search. To prevent each term in a phrase from
being matched separately, multiple keywords must be in quotes and be an exact match.
After the search is complete next to the Search button the number of positive matches will be
displayed, with the total number of log entries in brackets following. Select the total number of
log entries to return to the full list. Subsequent searches will search all log entries and not just
the previous search’s matches.
Log entry order
You can change the order used to display the log entries. To sort the log entries by a particular
column, such as Timestamp, select the title for that column. The log entries will now be
displayed based on data in that column in ascending order. Ascending or descending is
displayed with an arrow next to the column title — up arrow for ascending, and down arrow for
descending.
Log Type Reference
There are Admin Configuration, Authentication, System, and User Portal events. Each of these
have multiple log message types for each major event. To see the various types of log
messages, go to Logging > Log Access > Logs and select Log Type Reference.
Fortinet Technologies Inc.
Page 67
FortiAuthenticator v2.1 Administration Guide
On this page, you can search for the exact text of a specific log message. The search will return
any matches in any columns.
Exporting the log
On the Log Access page, you can select Download Raw Log to export the FortiAuthenticator
log as a text file named fac.log.
Fortinet Technologies Inc.
Page 68
FortiAuthenticator v2.1 Administration Guide
Troubleshooting
Problem
Check
All logins fail, no response
from FAC, no entries in
system log
• Check that the authentication client has been
correctly configured. If the authentication client is
not configured, all requests are silently dropped.
• Verify traffic is reaching the FortiAuthenticator. Is
there an intervening Firewall blocking 1812/UDP
RADIUS Authentication traffic, routing is correct,
authentication client is configured with correct IP
for FortiAuthenticator etc.
All logins fail with RADIUS
ACCESS-REJECT and
"invalid password" in logs
• Verify the authentication client secrets are identical
on the authentication client and FortiAuthenticator
• Reset user password and re-try
Generally logins are
successful however,
• Have user (privately) type password into local
individual user authentication
username field (do not click enter) or into notepad
attempt fails with
and look for unexpected characters (keyboard
"invalid password" in logs
regionalization issues)
Generally logins are
successful. However, user
authentication attempt fails
with "invalid token" in logs
• Verify the user is not trying to use a previously
used PIN number. Tokens are One Time
Passwords i.e. you cannot log in twice with the
same PIN.
• Verify the time and time zone on the
FortiAuthenticator is correct and preferably
synchronised using NTP.
• Verify the Token is correctly synced with the
FortiAuthenticator. Verify the drift by syncing the
token
• Verify the user is using the token assigned to them
(validate serial against FAC config)
• If the user is using an e-mail or SMS token, verify it
is being used within the valid timeout period.
You can find extended debug logs at https://<FortiAuthenticator IP Address>/debug.
Fortinet Technologies Inc.
Page 69
FortiAuthenticator v2.1 Administration Guide
Index
A
Authentication Activity widget 32
Authentication, Authorization, and Accounting (AAA) 5
C
certificate authority (CA) 40
Certificate Revocation List (CRL) 42
Certificate Signing Request (CSR) 43
common name, LDAP servers 25
CRL Distribution Point (CDP) 42
Logging 47, 48
authentication client 23
M
Microsoft Active Directory 41, 44
mode, operation 4
monitor
users 32
Monitoring 32
N
D
NTP 8
dashboard
Authentication Activity widget 32
User Inventory widget 32
default password 4
distinguished names
LDAP servers 26
domain component, LDAP servers 25
Domain Controllers 34
O
E
explicit proxy 15
F
firewall
open ports 7
ports 7
firmware updates 4
FortiGuard 22
FortiGuard Antivirus 4
Fortinet Single Sign On (FSSO)
Domain Controllers 34
ports 7
FortiToken 21
clock drift 23
monitoring 22
NTP 8
registering 22
synchronization 23
one-time password (OTP) 21
Online Certificate Status Protocol (OCSP) 43
operation mode 4
P
password
administrator 4
ports 7
product registration 4
proxy 15
R
RADIUS
ports 7
server 16
remote LDAP 23
S
Subject Alternative Names (SAN) 40
T
technical support 4
Token-based authentication 15, 18
troubleshooting 13
two-factor authentication
FortiToken 21
H
U
hierarchy
LDAP servers 25
User Inventory widget 32
User Principal Name (UPN) 41, 44
users 16
authentication client 16
monitor 32
monitor, dashboard 32
RADIUS authentication 16
L
LDAP servers
common name 25
distinguished names 26
domain component 25
hierarchy 25
Lightweight Directory Access Protocol (LDAP) 25
ports 7
remote server 23
Fortinet Technologies Inc.
W
Windows AD Domain Controllers 34
Windows Server 41, 44
Page 70
FortiAuthenticator v2.1 Administration Guide